CNAs, or CVE Numbering Authorities, are an essential part of
vulnerability reporting because they compose a cohort of bug bounty
programs, organizations, and companies involved in the secure
software supply chain.When millions of developers depend on your
projects, like in Docker’s case, it’s important to be a CNA to
reinforce your commitment to cybersecurity and good stewardship as
part of the software supply chain. Previously, Docker reported CVEs
directly through MITRE and GitHub without CNA status (there are
many other organizations that still do this
