The Cybersecurity and Infrastructure Security Agency (CISA) has announced the creation of a nomination form that enables researchers, vendors, and industry partners to report bugs that need to be added to the Known Exploited Vulnerabilities (KEV) catalog.
Enhancing Vulnerability Reporting
According to Chris Butera, CISA's Acting Executive Assistant Director for Cybersecurity, this new reporting capability enhances CISA's ability to identify, validate, and quickly share critical threat information. Butera stated,
Every day, CISA collaborates with security researchers and industry partners that identify and report exploited vulnerabilities. This new reporting capability enhances CISA's ability to identify, validate, and quickly share critical threat information.
Experts can now submit vulnerabilities through a nomination form or over email and have to provide information about the bug as well as evidence of its exploitation. The KEV catalog is meant to provide cybersecurity defenders within the federal government with an authoritative list of software and hardware vulnerabilities that need to be patched within a certain time frame, typically three weeks.
Benefits of the New Reporting System
Robert Costello, former CISA Chief Information Officer, said the new submission form is a way for the agency to operationalize its partnership with the cybersecurity research community in a very practical way. Costello noted,
Crowdsourcing exploitation intelligence through a standardized nomination process means faster KEV additions and, ultimately, faster defensive action across the whole ecosystem.
As the catalog has grown since debuting in 2021, cyber defenders outside of the federal government have adopted it as a reference point to know what bugs are being targeted. Experts found that organizations remediate vulnerabilities added to the KEV 3.5 times faster than non-KEV bugs.
Importance of Early Detection and Coordinated Vulnerability Disclosure
Butera emphasized that early detection and coordinated vulnerability disclosure are among the most powerful tools to reduce risk at scale. CISA strongly encourages researchers and organizations to share vulnerability threats and help secure the systems Americans rely on every day.
Qualys' Mayuresh Dani noted that CISA previously accepted submissions via email but lacked external reports on how many vulnerabilities were added to the KEV based on these submissions. The new form requires submitters to add critical, detailed information, which will hopefully provide visibility into what happens post-submission.
Future Developments and Challenges
Dani added that CISA may be trying to play catch-up because commercial alternatives to the KEV are available, and some now consider it a trailing indicator of vulnerability exploitation. While nearly all bugs initially added to the KEV were given a three-week remediation deadline, the number of vulnerabilities given three-day and even 24-hour patch deadlines has increased in the last year.
JupiterOne's Chris Doyle said improvements like this can help strengthen the signal quality and timeliness of KEV, which ultimately benefits defenders trying to prioritize real-world risk over theoretical severity.
CISA's efforts to coordinate with the private sector are designed to speed up defense efforts, vulnerability disclosure, and exploitation tracking. As the cybersecurity landscape continues to evolve, the importance of early detection and coordinated vulnerability disclosure will only continue to grow.
- CISA has created a new pathway for researchers to report vulnerabilities to its Known Exploited Vulnerabilities catalog.
- The KEV catalog provides cybersecurity defenders with an authoritative list of software and hardware vulnerabilities that need to be patched within a certain time frame.
- Organizations remediate vulnerabilities added to the KEV 3.5 times faster than non-KEV bugs.
Source: The Record