The CVE™ Program's "Supplier CVE Numbering Authority (CNA) as Authorized Data Publisher Pilot (SADP Pilot)," was announced on March 24, 2026, and officially launched on April 1, 2026.

SADP Pilot participants (Cisco, HeroDevs, Microsoft, Oracle, Red Hat, and Siemens) can add SADP (i.e., VEX-like) content to CVE Records as data points on how reported vulnerabilities affect their products.

Where to View SADP-Enriched CVE Records

  • Official CVE List — The SADP Pilot is integrated into published CVE Records on the official CVE List. All SADP-enriched records are viewable as part of the CVE List in the CVEList GitHub Repository and through the search capability located on the CVE website (search on the term "SADP" and click the SADP tag to see enriched content for that record).
  • SADP Pilot GitHub Repository — A dedicated GitHub repository has been created for this pilot to make it easy to review all SADP-enriched records in one place. Records containing SADP content are copied this repository, which is structured in the same manner as the CVE List but contains only CVE Records with SADP content. The SADP GitHub Pilot repository is synchronized with the official CVE List repository every 15 minutes, and always reflects the latest published CVE Records containing SADP content.

Feedback Requested

The SADP Pilot is scheduled to run from April 2026 through July 2026. SADP suppliers will continue to add content throughout this timeframe. We encourage you to check the CVE website and the SADP Pilot GitHub Repository regularly as new CVE Records with Supplier-enriched content are expected to appear on an ongoing basis.

Your feedback is essential to determining how SADP and supplier-provided content should be supported in the CVE Program after the pilot concludes. Please provide feedback by commenting on the CVE Blog on Medium, or use the CVE Request Web Form and select "Other" from the dropdown menu.

When providing feedback, it is especially helpful if you describe:

  • How you discovered and used SADP content (e.g., via CVE.ORG, GitHub, or a vulnerability management tool)
  • Whether SADP content helped reduce false positives, triage time, or vendor interaction
  • Any gaps, ambiguities, or additional fields you would like to see
  • Suggestions for how this data should be surfaced or standardized going forward

Additional Information

View the initial pilot announcement, "Supplier ADP Pilot — CVE Program to Explore Benefits of Supporting VEX-like, Product Status Information in Upstream CVE Records" on the CVE website, or visit the SADP Pilot Repository on GitHub.