Written by Laurent Dupont

Toreon has been authorized by the CVE Program as a CVE Numbering Authority (CNA)

Press Release

Antwerpen, June 18, 2025 – Toreon has been officially authorized by the CVE Program as a CVE Numbering Authority (CNA). This designation allows Toreon to assign official CVE identifiers (CVE IDs) to vulnerabilities discovered by or reported to Toreon that are not in another CNA’s scope.

Toreon believes that securing the end product alone is not enough. Modern software is built on layers of third-party components, open-source dependencies, and reusable frameworks. If these foundational building blocks are insecure, everything built on top of them is at risk. That’s why much of Toreon’s research focuses on these critical elements, the technologies development teams rely on every day.

With its new CNA status, Toreon can now disclose the vulnerabilities it uncovers in a formal, standardized way. Publishing CVE Records makes it easier for the broader cybersecurity community to track issues, respond quickly, and coordinate fixes across ecosystems.

For clients, this means partnering with a security firm that not only secures specific systems but also works upstream to improve the tools and libraries those systems depend on. It’s a broader, more proactive approach to cybersecurity, one that aims to make the entire digital landscape safer, one vulnerability at a time.

The newly acquired CNA status also strengthens Toreon’s rapidly growing capabilities in AI penetration testing. Toreon has been at the forefront of AI and machine learning security research, with a dedicated team focused on uncovering real-world vulnerabilities in the tools, platforms, and frameworks powering today’s AI systems.

As a security researcher, I want to make sure that my impact reaches as far as possible. That’s why CVEs matter, they turn a vulnerability into something the whole community can act on. Publishing a blog post or a proof of concept is great, but assigning it a CVE means defenders, vendors, and researchers are all speaking the same language. It makes the work count where it really matters. Becoming a CNA is instrumental in this as it allows us to optimize our processes and spend more time doing what we love: Finding creative exploits before the bad guys do!

Robbe Van Roey
Senior Consultant

This isn’t theory, Toreon has already contributed dozens of CVEs in widely used AI infrastructure, including:

Paddle: CVE-2024-0818, CVE-2024-1620, CVE-2024-1607
Gradio: CVE-2024-1727, CVE-2024-1728
Triton Inference Server: CVE-2024-0095, CVE-2024-0087
BentoML: CVE-2024-2912
PrivateGPT: CVE-2024-3403
Qdrant: CVE-2024-2221
LocalAI: CVE-2024-3135
Lollms: CVE-2024-1522, CVE-2024-2299, CVE-2024-1600, CVE-2024-2288, CVE-2024-4402
Langchain: CVE-2024-28088
Deep Java Learning: CVE-2024-8396
ChuanhuChatGPT: CVE-2024-6090
AutoGPT: CVE-2024-6091

These aren’t obscure edge cases, they’re vulnerabilities in the core building blocks of today’s AI pipelines. Toreon’s penetration testing services go beyond scanning inputs; analysing the internals of inference servers, vector databases, prompt frameworks, and orchestration layers to find logic flaws, injection vectors, and unsafe defaults that others miss.

For organizations investing in AI, this means Toreon can help secure the full stack, from the custom models you train to the platforms you integrate. And when something that puts more than just one organization at risk gets discovered, Toreon now has the means to disclose it quickly, responsibly, and globally.

Steven Wierckx
Expert Consultant

The Toreon product security team is motivated to build a more secure online experience for everyone. Finding and reporting on problems in existing software is part of that mission. We actively search for, find and report security problems. To make our process more efficient we gave decided to become a CNA so we can spend more time on finding security problems.

What is CVE?

The Common Vulnerabilities and Exposures (CVE™) program is a global, community-driven initiative that identifies, defines, and catalogs publicly disclosed cybersecurity vulnerabilities. Each vulnerability is assigned a unique CVE ID and published in the CVE List to ensure consistent reference across tools and organizations.

CVE Records are created by trusted partners known as CVE Numbering Authorities (CNAs), who ensure accurate and standardized descriptions. These records help cybersecurity professionals coordinate efforts, prioritize responses, and protect systems effectively.

By offering a shared language for discussing vulnerabilities, CVE helps reduce confusion, save time, and improve collaboration across the cybersecurity community.

About the CVE program

The mission of the Common Vulnerabilities and Exposures (CVE™) Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities

About Toreon

Toreon is a Belgian cybersecurity services company with a strong international reputation for helping organizations secure their products and operations by design. As a leader in Product Security, Toreon enables companies to proactively identify and remediate vulnerabilities through ethical hacking, red teaming, phishing simulations, and tailored penetration testing.

In addition to hands-on testing services, Toreon helps organizations assess their overall security maturity and build custom roadmaps for long-term improvement. Through our CISO-as-a-Service offering, we provide ongoing strategic guidance to help clients manage risk and build resilience from the boardroom to the codebase.