Since 15 January 2020, INCIBE has been indentified as CNA, CVE - Common Vulnerabilities and Exposures - Numbering Authority, taking on, from this date, the good management and vulnerability discovery practices of said program.
This implies that INCIBE becomes one of the organisations authorised to designate CVE identifiers within its scope.
INCIBE CNA Contact
To report a vulnerability to the INCIBE CNA, send an email to . It is advisable to transmit the information encrypted with the public PGP key associated with this mailbox.
Download public key.
You can verify the authenticity of this key by downloading it to your key ring and executing the command:
$ gpg -k pub rsa4096 2019-12-20 [expires: 2021-12-19] key fingerprint E3AD A30A 89B3 F90D 5FBB 624B B5FA AD1E 641B AA47 uid Spanish National CNA <> sub rsa4096 2019-12-20 [expires: 2021-12-19] sub rsa4096 2019-12-20 [expires: 2021-12-19]
The accepted languages for receiving the information are: Spanish and English.
INCIBE vulnerability management process
Once the notification is received, INCIBE will confirm its receipt and will begin communication with the party concerned within a period not exceeding 72 hours.
The process of managing each vulnerability follows the following phases:
- Phase I: Gathering information
- Phase II: Analysis
- Phase III: Coordination
- Phase IV: Mitigation
- Phase V: Disclosure
Deadlines for disclosure
As a CNA, the period for disclosing a vulnerability is agreed on a case-by-case basis, with the investigator who reported it and the organisation that is solving it.
The delay between the acceptance of the vulnerability and its disclosure will only be extended if the actors involved are preparing and testing an effective and efficient solution to the problem, giving sufficient time to verify any other related problem and not generating others in said process.
At the same time, this publication policy will ensure that the end users of said product are not aware of a published vulnerability without having any means of updating it.
INCIBE will not publicly announce vulnerabilities until the corrections are available, as long as work is being done to solve it: likewise, if, due to the characteristics of the vulnerability (risk, impact ...) it is necessary, it reserves the right to be able to notify, as an exceptional case prior to publication, the actors involved.
If, for any reason, the person in charge of its correction does not show evidence of having performed any type of action to solve it, by default the vulnerability may be published after 45 days.