Notifications
Clear all
Topic starter
25/06/2026 5:22 pm
TL;DR: CNA authorization means vulnerabilities in its own offerings can be assigned CVE IDs, which improves disclosure consistency and makes it easier for security teams to correlate advisories with the CVE List and the NVD, according to SailPoint. The change matters because vulnerability governance is now a more explicit part of identity programme operations, not a side process.
NHIMG editorial — based on content published by SailPoint: SailPoint Authorized as a CVE Numbering Authority (CNA)
Questions worth separating out
Q: How should IAM teams use CVE records for identity platform vulnerabilities?
A: IAM teams should treat CVE records as the common reference point for triage, ticketing, and remediation tracking.
Q: Why do vulnerabilities in identity platforms require special handling?
A: Identity platforms require special handling because they sit in the control plane for authentication, provisioning, and privileged access.
Q: What breaks when CVE publication is not tied to internal ownership?
A: When CVE publication is not tied to internal ownership, teams often get visibility without remediation.
Practitioner guidance
- Map identity-platform advisories to CVE workflows Route every identity product vulnerability into the same ticketing, triage, and exception process used for other high-impact security issues.
- Classify IAM systems as control-plane assets Apply stricter service ownership, patch validation, and change approval rules to identity platforms than to ordinary applications because they mediate access to downstream systems.
- Link disclosure to remediation ownership Require each identity-platform CVE to carry a named owner, affected service inventory, and a remediation SLA so publication translates into action rather than awareness.
What's in the full article
SailPoint's full blog post covers the disclosure and publication details this post intentionally leaves for the source:
- How CNA authorization changes the process for assigning and publishing CVE records for SailPoint offerings
- What SailPoint says about publication on its Security Advisories webpage and the CVE official website
- The underlying explanation of what a CNA is and how the CVE List is maintained
- How CVE records support common language for vulnerability coordination across stakeholders
👉 Read SailPoint's blog on CNA authorization and CVE publication for its products →
CVE Numbering Authority status: what does it mean for IAM teams?
Explore further
25/06/2026 5:59 pm
Vendor-authored CVE authority is a disclosure maturity signal, not a security guarantee. When an identity vendor can assign CVEs to its own vulnerabilities, the immediate benefit is cleaner publication and more consistent coordination. That helps teams align advisories, scanner findings, and remediation tickets. The governance test is whether the organisation can still independently assess impact and not confuse disclosure maturity with product assurance.
A few things that frame the scale:
- 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
- 45% of organisations cite lack of credential rotation as the top cause of NHI-related attacks, which shows how often governance failures still start with basic lifecycle control, according to The State of Non-Human Identity Security.
A question worth separating out:
Q: How do security teams decide whether an identity CVE is urgent?
A: Security teams should prioritise identity CVEs by whether the affected component sits in authentication, provisioning, admin, or privileged access paths, and by whether it is internet-facing or broadly reachable. A flaw in those paths is usually more urgent because it can expand access rather than just disrupt a single service.
👉 Read our full editorial: CVE Numbering Authority status and what it changes for IAM
