CVE is an international program for identifying and naming cybersecurity vulnerabilities.
The use of common identifiers makes it easier to share and cross-check data across the multiple databases that track vulnerabilities.
Sophos' CNA status means it is authorised to assign CVE identification to unique vulnerabilities within the scope of its products.
This means security researchers can work directly with Sophos to open CVEs for the company’s products, simplifying the process of reporting issues and assigning CVEs.
"Sophos' new status as a CNA is another example of our commitment to be transparent, and by having the ability to assign CVEs, we can provide the industry with pertinent information about our products faster," said Sophos vice president and chief information security officer Ross McKerchar.
"This allows organisations to more quickly assess security issues, determine the scale of urgency and prioritise updates.
"Sophos' CVEs will also get entered into the multiple CVE-compatible databases within the industry. By working collectively on these databases with other vendors and industry standards watchguards, we can together improve defences against persistent attackers."
CVE board member Kent Landfield said "The Common Vulnerabilities and Exposures Team welcomes Sophos as our newest CVE Numbering Authority.
"Sophos has a strong reputation of contributing to the global digital security community, producing antivirus, encryption and cybersecurity capabilities for over 30 years. Their experience brings real value to the CVE Program. We are very pleased to have Sophos as a contributing member of the CVE team."
There are 152 CNAs as of 13 January 2021. The only Australia-based CNA is tool vendor Atlassian.