...
However, MITRE has designated a small group of third party organization as CVE Naming Numbering Authorities (CNAs), meaning these organizations have limited authority on assigning CVE IDs without MITRE's involvement in some circumstances. CNAs are expected to follow the same assignment rules that MITRE follows. The CNAs then report the CVE IDs to MITRE, or publish an advisory with the CVE IDs, so that MITRE can include the CNA-assigned CVE IDs in the overall MITRE dictionary.
...