CISA Opens Known Exploited Vulnerabilities Catalog to Outside Submissions

The Cybersecurity and Infrastructure Security Agency has created a formal pathway for security researchers, vendors, and industry partners to nominate vulnerabilities to its Known Exploited Vulnerabilities catalog, expanding a program that has become one of the most widely referenced tools in the cybersecurity community.

CISA announced the new nomination form on Thursday, saying it will allow outside parties to flag bugs they believe warrant addition to the KEV — a list that, since its debut in 2021, has served as an authoritative guide for federal agencies on which software and hardware vulnerabilities require patching within a defined window, typically three weeks.

"Every day, CISA collaborates with security researchers and industry partners that identify and report exploited vulnerabilities. This new reporting capability enhances CISA's ability to identify, validate, and quickly share critical threat information," said Chris Butera, CISA's Acting Executive Assistant Director for Cybersecurity.

Submitters using the new form must provide technical details about a given vulnerability as well as evidence of active exploitation. CISA said previously accepted emailed submissions, but that channel lacked transparency about how many nominations resulted in actual KEV additions.

Robert Costello, who served as CISA's chief information officer for nearly five years before departing in March, said the standardized process will accelerate defensive action across the broader ecosystem. "Crowdsourcing exploitation intelligence through a standardized nomination process means faster KEV additions and, ultimately, faster defensive action across the whole ecosystem," he said. "It's the right move at the right time, as AI is accelerating both the discovery and exploitation of vulnerabilities at a pace that makes early, coordinated disclosure more critical than ever."

The move comes as defenders contend with a growing volume of AI-discovered vulnerabilities, many of which researchers say are unlikely to be exploited in practice. Studies have found that organizations remediate vulnerabilities added to the KEV 3.5 times faster than those not on the list, underscoring its practical weight as a triage tool.

Qualys researcher Mayuresh Dani welcomed the new form but raised questions about verification. "What needs to be seen is how this information is verified by CISA and what guardrails against incorrect and false reporting are put in by CISA so that only real and validated exploitation observations make it to the KEV list," Dani said. He also noted that commercial alternatives to the KEV have emerged, with some in the industry now viewing the catalog as a trailing indicator of exploitation activity.

The catalog has also seen a shift in urgency at the individual entry level. While most bugs originally received three-week remediation deadlines, the number of entries carrying three-day and even 24-hour patch windows has risen over the past year. Earlier this month, CISA Acting Director Nick Anderson and U.S. National Cyber Director Sean Cairncross floated the possibility of capping all new KEV deadlines at three days, citing the speed at which AI systems can now generate working exploits.

Chris Doyle of JupiterOne said the broader effort to incorporate outside intelligence should improve the quality of the catalog. "Improvements like this can help strengthen the signal quality and timeliness of KEV, which ultimately benefits defenders trying to prioritize real-world risk over theoretical severity," he said.

The expansion of the KEV's intake process reflects a broader push by CISA to formalize its relationship with the private security research community at a moment when the volume and velocity of exploitable vulnerabilities is accelerating, and when the agency's internal resources are under pressure to keep pace.

Disclaimer