CISA to allow researchers to report vulnerabilities to exploited bugs catalog

The federal cybersecurity agency has created a new pathway for people outside of the U.S. government to report vulnerabilities to its catalog of bugs that have been exploited. 

The Cybersecurity and Infrastructure Security Agency (CISA) announced the creation of a nomination form on Thursday that they said enables “researchers, vendors, and industry partners” to report bugs that need to be added to the Known Exploited Vulnerabilities catalog — a key tool that has become a critical resource for the cybersecurity community.

“Every day, CISA collaborates with security researchers and industry partners that identify and report exploited vulnerabilities. This new reporting capability enhances CISA’s ability to identify, validate, and quickly share critical threat information,” said Chris Butera, CISA’s Acting Executive Assistant Director for Cybersecurity. 

“Early detection and coordinated vulnerability disclosure are among the most powerful tools we have to reduce risk at scale. CISA strongly encourages researchers and organizations to share vulnerability threats and help us secure the systems Americans rely on every day.”

Experts can now submit vulnerabilities through a nomination form or over email and have to provide information about the bug as well as evidence of its exploitation. 

The catalog, known colloquially as the KEV, is meant to provide cybersecurity defenders within the federal government with an authoritative list of software and hardware vulnerabilities that need to be patched within a certain time frame — typically three weeks. 

It has allowed defenders to focus on remediating vulnerabilities that are being actively exploited by hackers and nation-state actors. 

The agency said reporting bugs to CISA is “essential to the nation’s cybersecurity posture, helping ensure that exploited vulnerabilities are discovered early, communicated responsibly, and mitigated quickly across federal, private, and critical infrastructure networks.”

Robert Costello, who served as CISA’s chief information officer for nearly five years before leaving in March, said the new submission form is a way for the agency to operationalize its partnership with the cybersecurity research community in a very practical way.

“Crowdsourcing exploitation intelligence through a standardized nomination process means faster KEV additions and, ultimately, faster defensive action across the whole ecosystem,” he said. 

“It's the right move at the right time, as AI is accelerating both the discovery and exploitation of vulnerabilities at a pace that makes early, coordinated disclosure more critical than ever.”

As the catalog has grown since debuting in 2021, cyber defenders outside of the federal government have adopted it as a reference point to know what bugs are being targeted. Experts found that organizations remediate vulnerabilities added to the KEV 3.5 times faster than non-KEV bugs.

It has become even more critical as defenders figure out how to contend with a growing deluge of AI-discovered vulnerabilities — many of which are insignificant and unlikely to be exploited.

Qualys’ Mayuresh Dani said CISA previously accepted submissions via email but noted that there were no external reports on how many vulnerabilities were added to the KEV based on submissions to this email address. The new form forces submitters to add critical, detailed information.

“Hopefully, this functionality will now provide visibility into what exactly happens post submission,” Dani told Recorded Future News. “What needs to be seen is how this information is verified by CISA and what guardrails against incorrect and false reporting are put in by CISA so that only real and validated exploitation observations make it to the KEV list.” 

Dani added that CISA may be trying to play catch-up because commercial alternatives to the KEV are available and some now consider it a trailing indicator of vulnerability exploitation.

While nearly all bugs initially added to the KEV were given a three-week remediation deadline, the number of vulnerabilities given three-day and even 24-hour patch deadlines has increased in the last year. 

Earlier this month, Reuters reported that CISA Acting Director Nick Anderson and U.S. National Cyber Director Sean Cairncross floated the possibility of limiting the KEV deadline for all new bugs to just three days out of concern for hackers now using powerful, emerging AI-systems to develop exploits for vulnerabilities in a shorter amount of time. 

Experts said the new effort to coordinate with the private sector was designed to speed up defense efforts, vulnerability disclosure and exploitation tracking. 

“Improvements like this can help strengthen the signal quality and timeliness of KEV, which ultimately benefits defenders trying to prioritize real-world risk over theoretical severity,” said JupiterOne’s Chris Doyle.