FOR IMMEDIATE RELEASE

Contact: [email protected]
Subject: Vulnerability Naming Authority Announces Naming Process and Domain Allocation
Embargo: None

The Vulnerability Naming Authority (VNA), in coordination with the CVE Numbering Authority consortium and the National Telecommunications and Information Administration, has published a unified process for the assignment, registration, and disclosure of named vulnerabilities. The process introduces a controlled vocabulary, a centralised approvals registry, and a top-level domain, .vuln, allocated for use exclusively in disclosure communications.

The process applies to any vulnerability disclosed publicly by an entity operating within the United States. Vulnerabilities assigned only a CVE identifier remain out of scope.

The Naming Process

A named vulnerability is defined as a vulnerability that the discoverer intends to refer to by name in disclosure materials, including but not limited to: the discoverer’s blog, the discoverer’s employer’s blog, the discoverer’s employer’s marketing department’s blog, a conference programme, a podcast episode title, and any subsequent press coverage.

Each named vulnerability is described by a structured record. The record contains a primary monosyllable, an optional Latinate suffix, a single SVG logo, a designated colour from a reserved palette, and a one-line description suitable for a slide.

Names are checked against a deconfliction database before assignment. The database is seeded with the prior canon: Heartbleed, Shellshock, Spectre, Meltdown, BlueKeep, POODLE, DROWN, KRACK, Dirty COW, Log4Shell, ProxyLogon, ProxyShell, PrintNightmare, ZeroLogon, Follina, Spring4Shell, Text4Shell, Looney Tunables, regreSSHion, LeakyVessels, Terrapin, LogoFAIL, PixieFAIL, NameDrop, TunnelVision, GoFetch, BootHole, SeriousSAM, HiveNightmare, Sinkclose, Retbleed, Zenbleed, Downfall, Reptar, Inception, and AmberWolf. New entries are imported nightly from the vulnerability.garden feed, which grows at approximately one entry per day.

A name that collides with an existing record receives a numeric suffix. A name that collides with a registered trademark receives a different name. A name that collides with a pharmaceutical product is referred for adjudication.

The .vuln Domain

The .vuln top-level domain has been delegated to the Authority by IANA following a public comment period in which two comments were received, one of which was from the authors of the prior draft.

Under the relevant executive order, any entity headquartered in the United States disclosing a previously-unpublished CVE through a public blog post in the English language is required to register the corresponding .vuln domain within 72 hours of disclosure. The domain must resolve to a single-page site containing the CVE record, the CVSS vector, the approved logo, an FAQ, and downloadable press materials. The site must not contain advertising, with the exception of a single recruitment banner of no more than 200x100 pixels.

The disclosure_url field of the CVE record is validated against the registry. Records pointing outside .vuln are flagged in the public feed and marked non-conforming. Validation runs on a 72-hour SLA, which exceeds the SLA on the CVE record itself.

Civil penalties for non-conforming disclosure begin at five thousand dollars per day. The schedule includes exemptions for entities with annual gross revenue below a threshold to be determined, for federally funded research institutions, and for one named trade association added to the schedule during rulemaking at its own request.

Disputes over .vuln ownership are resolved under the Uniform Vulnerability Naming Dispute Resolution Policy (UVNDRP). Domains abandoned by the original discoverer enter a redemption period during which vendors, journalists, security consultancies, and conference organisers may submit competing claims.

Existing named vulnerabilities have been migrated. heartbleed.vuln redirects to the Codenomicon foundation site. log4shell.vuln is held by the Apache Software Foundation. shellshock.vuln is in the possession of a domain investor in Wyoming who has declined to respond to acquisition inquiries.

The Application and Review Process

Applications are submitted through the VNA portal. Each application requires a draft name, a proposed logo in vector format, a colour preference, a CVSS vector, a brief technical description, and a non-refundable processing fee. The fee is waived for academic disclosures, federal agencies, and applicants who can demonstrate that their previous submission was rejected for tonal inconsistency.

The application progresses through five stages: pre-disclosure review, discoverer review, vendor review, brand review, and the Final Naming Committee. The Final Naming Committee meets once a fortnight in Reston, Virginia. Quorum is four members, of which the committee currently seats three.

Names are evaluated against the following criteria:

  • No syllable may be in active use by a managed detection and response vendor’s mascot.
  • The name must not have been previously rejected within the last three years, except where the rejection was overturned on appeal.
  • The logo must remain legible at 16x16 pixels and on a projector in a hotel ballroom.
  • The colour must not be either of the two colours already allocated to the two largest endpoint security vendors.

Concurrent Disclosure and Priority

Where two or more discoverers submit applications for the same underlying CVE within a single review window, priority is determined by the order in which complete applications were received. Applications missing a logo or a colour preference are returned for revision; the discoverer may file a priority objection, heard at the next meeting of the Final Naming Committee that achieves quorum.

If two applications are subsequently merged into a single CVE, the senior name is retained and the junior discoverer is credited as a co-discoverer in the FAQ section of the disclosure site, in alphabetical order, in a font size of not less than 60% of the senior discoverer’s.

A vendor publishing a counter-name for a vulnerability already approved by the Authority must log it in the registry as an unofficial alias and may not register it as a .vuln subdomain. Conflicting registrations are referred to the Naming Disputes Subcommittee, whose decisions may be appealed to the Naming Disputes Appeals Subcommittee. The Appeals Subcommittee has not yet been constituted.

Where the scoop on a vulnerability is contested between the discoverer and a journalist present at an earlier conference talk, the journalist is not eligible to file.

Vulnerabilities affecting model serving infrastructure, retrieval pipelines, MCP servers, agent frameworks, and any component the discoverer can plausibly describe as “AI-adjacent” are filed under a separate carve-out. The carve-out was established in response to submission volume: AI-related disclosures currently arrive at a rate of approximately fourteen per business day, exceeding the Final Naming Committee’s review capacity by an order of magnitude. OpenClaw and the ClawHub package registry account for the majority of weekly submissions. Volume has continued to increase notwithstanding repeated requests from the Authority that the AI community consolidate disclosures.

Applications under the carve-out are routed to the AI Vulnerability Review Board, an instance of Anthropic’s Vulnaire model fine-tuned on the deconfliction database and the prior canon. Vulnaire scores each submission against the published criteria, drafts a recommended name, and either approves, defers, or returns it for revision. Decisions are published to the registry within four hours of submission. The auto-approval threshold was tuned downward after the first week of operation, during which Vulnaire approved every submission, including one that named itself, one that named the Authority, and one that named the Final Naming Committee. Subsequent retraining has reduced but not eliminated this behaviour.

Names approved by Vulnaire receive an “AI-reviewed” badge in the registry, in the same colour as the Authority’s wordmark. Several vendors have petitioned to have the badge removed; the Authority has declined. The Final Naming Committee reviews a five per cent sample of AI-approved names each fortnight. No sampled name has been overturned to date, though four have been marked for follow-up at the discretion of the reviewer. Follow-up is logged but not enforced.

Recent Approvals

The following names were approved at the May session, in order of disclosure: GoblinTap, EchoLeak2, GhostTunnel, VulpineShade, RustBleed, KarenRegex, ShadowFetch, TuesdayShell, YubiBait, UntitledFolder3, and ConcernedDog.

ConcernedDog2, filed twelve days later by a competing vendor against an unrelated CVE, has been deferred to the brand review subcommittee. Cassandra was filed twice in the same week; the second filing was approved as Cassandra2 following an objection from the first discoverer’s employer.

The first evergreen name, Heartbleed (2027), has been leased to a managed detection vendor for an undisclosed fee. Heartbleed (2014) is grandfathered. Subsequent year-suffixed instances will enter the rotation as their predecessors expire.

Two applications were rejected at brand review for tonal inconsistency with the severity vector, including AbundanceOfCaution, noted as insufficiently severe in either direction. One application was referred for pharmaceutical adjudication. The outcome is not public. GoatFarm was withdrawn at the discoverer’s request following a change of professional circumstances.

Roadmap

Planned namespaces include vendor, foundation, government (with a sub-namespace per attributing agency), and academic (in which submitted names must include at least one citation). A delegation protocol is being drafted to allow accredited research labs to operate subordinate naming authorities under, for example, project-zero.vuln.

A retrospective conformance pass is in preparation. Vulnerabilities disclosed before the establishment of the Authority will be required to refile under the present process. Grandfathered evergreen names will be unreserved and re-released to the auction pool. The Authority is consulting on a transitional grandfathering scheme for the existing grandfathering scheme.

A working group, chartered to define the conflict resolution process between the namespace layer and a planned trademark layer above it, meets concurrently with the Final Naming Committee and has not yet established a quorum. A second working group, on the historical etymology of vulnerability naming, will produce a report drawing on telecommunications, virology, and cryptozoology, due in eighteen months. Its terms of reference are under review by itself.

The Vulnerability Naming Authority is a 501(c)(6) trade association incorporated in Delaware. Its mission is to standardise the assignment, registration, and disclosure of named vulnerabilities. The Authority does not investigate vulnerabilities, assign CVE identifiers, coordinate disclosure, validate technical claims, or provide remediation guidance.