The Cybersecurity & Infrastructure Security Agency (CISA) announced it will be accepting nominations to its Known Exploited Vulnerabilities (KEV) catalog, enabling vendors, researchers and industry partners to report KEVs. 

In a statement, the agency explained, “CISA’s KEV Nomination Form aligns with our Vulnerability Disclosure Policy (VDP) Platform and Coordinated Vulnerability Disclosure (CVD) Program, which together encourages good faith security research and promotes transparent, coordinated remediation of cyber risks. Public reporting to CISA is essential to the nation’s cybersecurity posture, helping ensure that exploited vulnerabilities are discovered early, communicated responsibly, and mitigated quickly across federal, private, and critical infrastructure networks.” 

Two main benefits security experts anticipate from this change are:

• The ability to source more intelligence
• An increase in structure and visibility

Crowdsourcing Intelligence

“This is a strong example of CISA operationalizing its partnership with the cybersecurity research community in a very practical way,” remarks Robert Costello, Chief Digital and Information Officer at Merlin Group. “Crowdsourcing exploitation intelligence through a standardized nomination process means faster KEV additions and, ultimately, faster defensive action across the whole ecosystem. It’s the right move at the right time, as AI is accelerating both the discovery and exploitation of vulnerabilities at a pace that makes early, coordinated disclosure more critical than ever.”

More Structure, More Visibility 

“This is a new formal, structured, public-facing submission mechanism,” states Mayuresh Dani, Security Research Manager, at Qualys Threat Research Unit. “Earlier, it lived as a plain, unstructured email address mentioned in BOD 22-01 guidelines. Organizations or individuals with information about an exploited vulnerability that is not currently listed on the KEV were previously encouraged to contact CISA at vulnerability@mail.cisa.dhs.gov and report their evidence. 

“Before this, there were no external reports on how many vulnerabilities were added to the KEV based on submissions to this email address. With this form, CVE-ID, clear mitigation guidelines and exploitation evidence is made mandatory as a part of the current submission process. Vendor and product information is also requested as a part of the information collection process. Hopefully, this functionality will now provide visibility into what exactly happens post-submission.”

What Remains to Be Seen 

“What needs to be seen is how this information is verified by CISA and what guardrails against incorrect and false reporting are put in by CISA so that only real and validated exploitation observations make it to the KEV list,” says Dani. “It’s possible that CISA is trying to play catch up, as commercial alternatives to CISA KEV are available and the fact that CISA KEV is a trailing indicator of vulnerability exploitation.”