CISA Opens KEV Catalog to External Submissions, Allowing Researchers to Nominate Exploited Bugs
CISA has launched a new nomination form enabling researchers, vendors, and industry partners to directly submit vulnerabilities for inclusion in the Known Exploited Vulnerabilities (KEV) catalog, aiming to speed up defensive action.
The Cybersecurity and Infrastructure Security Agency (CISA) announced on Thursday the creation of a new nomination form that allows researchers, vendors, and industry partners to report vulnerabilities for inclusion in its Known Exploited Vulnerabilities (KEV) catalog. The move is designed to improve the catalog's timeliness and completeness by enabling external submissions of exploited bugs, expanding the sources for KEV entries beyond CISA's own monitoring and vendor reports.
"Every day, CISA collaborates with security researchers and industry partners that identify and report exploited vulnerabilities. This new reporting capability enhances CISA's ability to identify, validate, and quickly share critical threat information," said Chris Butera, CISA’s Acting Executive Assistant Director for Cybersecurity. Experts can now submit vulnerabilities through a nomination form or over email and must provide information about the bug as well as evidence of its exploitation.
The KEV catalog, launched in 2021, is meant to provide cybersecurity defenders within the federal government with an authoritative list of software and hardware vulnerabilities that need to be patched within a certain time frame — typically three weeks. It has become a critical resource for the broader cybersecurity community, with organizations remediating KEV-listed vulnerabilities 3.5 times faster than non-KEV bugs.
Robert Costello, who served as CISA’s chief information officer for nearly five years before leaving in March, said the new submission form is a way for the agency to operationalize its partnership with the cybersecurity research community. "Crowdsourcing exploitation intelligence through a standardized nomination process means faster KEV additions and, ultimately, faster defensive action across the whole ecosystem," he said.
The agency said reporting bugs to CISA is "essential to the nation’s cybersecurity posture, helping ensure that exploited vulnerabilities are discovered early, communicated responsibly, and mitigated quickly across federal, private, and critical infrastructure networks." The change comes as defenders contend with a growing deluge of AI-discovered vulnerabilities, many of which are insignificant and unlikely to be exploited.
Qualys’ Mayuresh Dani noted that CISA previously accepted submissions via email but lacked visibility into how many vulnerabilities were added based on those submissions. The new form forces submitters to add critical, detailed information. "Hopefully, this functionality will now provide visibility into what exactly happens post submission," Dani said. "What needs to be seen is how this information is verified by CISA and what guardrails against incorrect and false reporting are put in by CISA so that only real and validated exploitation observations make it to the KEV list."
Earlier this month, Reuters reported that CISA Acting Director Nick Anderson and U.S. National Cyber Director Sean Cairncross floated the possibility of limiting the KEV deadline for all new bugs to just three days, out of concern for hackers using powerful AI systems to develop exploits more quickly. The new nomination form is seen as a step toward speeding up defense efforts, vulnerability disclosure, and exploitation tracking.
"Improvements like this can help strengthen the signal quality and timeliness of KEV, which ultimately benefits defenders trying to prioritize real-world risk over theoretical severity," said JupiterOne’s Chris Doyle. The move underscores CISA's commitment to operationalizing partnerships with the private sector and research community in an era of accelerating vulnerability discovery and exploitation.
The new form supplements the existing email submission channel at vulnerability@cisa.dhs.gov, which remains available. CISA Acting Executive Assistant Director for Cybersecurity Chris Butera stated that the capability enhances the agency's ability to identify, validate, and quickly share critical threat information, emphasizing that early detection and coordinated vulnerability disclosure are among the most powerful tools to reduce risk at scale. Submissions still require an assigned CVE, confirmed exploitation, and remediation guidance to meet the KEV catalog's existing bar.