hackrate | news

Press release: Hackrate becomes Hungary’s first CVE Numbering Authority

This article explains Hackrate’s new status as Hungary’s first CVE Numbering Authority (CNA) and what that means in practice for coordinated vulnerability disclosure.

Balazs PoznerJanuary 13, 2026 · 5 min read · Last Updated:

Budapest, Hungary, January 13, 2026

Hackrate has been authorized by the CVE Program as a CVE Numbering Authority (CNA). Hackrate will operate under the CISA ICS Root hierarchy. This makes Hackrate Hungary’s first organization with the authority to assign CVE IDs (Common Vulnerabilities and Exposures) for eligible vulnerabilities within its approved CNA scope.

The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. CVE provides a shared reference so security teams, vendors, and tools can reliably talk about the same vulnerability using a consistent identifier and record.

A CNA is not a badge, but an operational role in the global vulnerability identification process. As a CNA, Hackrate can reserve CVE IDs, assign them to validated issues, and publish CVE Records in accordance with CVE Program rules and coordination requirements. Hackrate will only assign a CVE ID and publish a CVE Record when it is appropriate and when the program owner explicitly approves creating a CVE as part of their disclosure plan.

This capability is an opportunity for Hackrate customers and for the local security community. It does not change anything by default for every program on Hackrate and it does not mean CVEs will be created automatically.

What changes with CNA status

In many disclosure workflows, the CVE step becomes a sequencing problem. An ethical hacker reports a bug, a vendor confirms and fixes it, and then the parties still need a separate path to obtain a CVE ID from an external CNA. That handoff can introduce delays, inconsistent records, and unnecessary back-and-forth over validation details.

With CNA capability inside Hackrate, CVE assignment can be integrated into the same place where the report is already triaged and coordinated. This provides a simpler, approval-based path when a program owner decides a CVE is the right outcome for a given issue.

How the workflow changes on Hackrate

Reporting, technical validation, coordinated disclosure, and CVE ID assignment can be handled within a single workflow. If a program owner wants to create a CVE for an eligible vulnerability and would like support with the process, Hackrate can assist through CVE ID assignment and CVE Record preparation.

During triage, we can help structure the data needed for a high-quality CVE Record, including affected products and versions, vulnerability type (for example CWE mapping), and primary references such as vendor advisories or patch information. CVE Records are prepared for publication in alignment with coordinated disclosure and remediation timelines.

What this means for companies

If you run a VDP or bug bounty on Hackrate and you maintain software used by others, CVE identifiers are often part of how vulnerabilities are tracked and referenced across the industry. Hackrate can now support that process directly when a CVE is appropriate and when you approve it.

  • Integrated CVE handling: If a report is validated and the issue is CVE-eligible, Hackrate can assign the CVE ID as part of the same triage and coordination track, without needing an additional external CNA step.
  • Optional by design: Not every vulnerability needs a CVE. Internal-only systems and private applications often do not benefit from a public identifier. For externally distributed products, open-source components, or on-prem software, CVEs are frequently the expected identifier.
  • Approval-based process: We will not create or publish CVE Records without explicit program owner approval. If you want to manage CVEs entirely on your side, you can continue to do so. If you want support, we can help.

What this means for ethical hackers

For researchers, the biggest practical gain is reduced administrative friction after the technical work is already done. When your report is CVE-eligible and the program owner approves creating a CVE, the validation and CVE assignment can happen with a CNA involved in the same workflow that already triages the report.

Once remediation and disclosure timing are agreed with the vendor, and creating a CVE is approved by the program owner, the CVE ID can be assigned without an extra external queue.

Closing

Hackrate’s CNA status expands what we can deliver across the full vulnerability lifecycle: discovery through our VDP and bug bounty programs, technical validation through triage, coordinated disclosure with the vendor, and now official identification through CVE IDs and CVE Records, when program owners choose to use it.

Maintaining a global vulnerability identifier system is a complex, industry-wide task involving coordination, deduplication, and record quality at scale. We are glad to contribute in a small but practical way by helping program owners and ethical hackers create timely, high-quality CVE Records when they are needed.

If you are a program owner managing coordinated disclosure, Hackrate can now serve as a direct bridge into the CVE ecosystem under the CISA ICS Root structure.

hackratenews

Written by Balazs Pozner
CEO and Founder of HACKRATE Ltd.

Related ArticlesView All

Let 2026 be the year bug bounty becomes part of how you build and operate
January 05, 2026 · 4 min read

This article explains why 2026 is the right time to make bug bounty a practical, continuous security feedback loop and how Hackrate can help you launch it with confidence.

balazs pozner
by Balazs Poznerin hackrate,ethical-hacking,security-testing,news,getting-started
Ministry of Regional Development of the Czech Republic Launches Public Bug Bounty Program with Hackrate
July 16, 2025 · 2 min read

The Ministry of Regional Development of the Czech Republic partners with Hackrate to launch a public bug bounty program—empowering ethical hackers to strengthen national cybersecurity and set a precedent for the European public sector.

balazs pozner
by Balazs Poznerin security-testing,ethical-hacking,news,hackrate
Measuring the Success of Bug Bounty Programs: Outdated vs. Modern Approaches
March 25, 2025 · 4 min read

Shift from outdated metrics to advanced methods with Hackrate’s HackGATE to monitor the success of your Bug Bounty Programs.

Levente Molnar
by Levente Molnarin security-testing,ethical-hacking,news
A VDP szerepe a NIS 2 megfelelésben: Amit a sérülékenység közzétételi irányelvről tudni kell
September 02, 2024 · 7 min read

Az előző cikkben bemutattuk a NIS 2 irányelv követelményeit és a magyar vállalatokra gyakorolt hatását. Ebben a posztban részletesen tárgyaljuk a sérülékenység közzétételi irányelvet (VDP), amely a NIS 2 egyik kulcsfontosságú eleme. Megvizsgáljuk, miért nem elegendő egy egyszerű email cím a sérülékenységek bejelentésére, és miért van szükség jól felépített, strukturált VDP-re a vállalatok kiberbiztonsági pozíciójának erősítésére.

balazs pozner
by Balazs Poznerin security-testing,ethical-hacking,news
Why choose managed Vulnerability Disclosure Programs (mVDP)?
August 30, 2024 · 10 min read

Discover the importance of a well-structured Vulnerability Disclosure Policy (VDP) in the context of the NIS 2 Directive. Learn how VDPs enhance security, ensure legal compliance, boost reputation, and foster collaboration with the cybersecurity community.

balazs pozner
by Balazs Poznerin security-testing,ethical-hacking,news
Pentesting AI Applications with Hackrate and SplxAI
August 12, 2024 · 4 min read

With the implementation of the EU’s AI Act, Hackrate and SplxAI are enhancing AI security through a combination of automation and ethical hacking. Their partnership ensures comprehensive assessments, identifying vulnerabilities and ensuring compliance with new regulations.

balazs pozner
by Balazs Poznerin security-testing,ethical-hacking,news