CISA Opens KEV Nomination Form to Vendors and Researchers
▼ Summary
– CISA launched a new nomination form for researchers, vendors, and industry partners to report known exploited vulnerabilities for possible inclusion in its KEV catalog.
– Email submissions remain available at vulnerability@cisa.dhs.gov as an alternative reporting route.
– CISA’s Chris Butera stated the new capability enhances identification and sharing of critical threat information, urging researchers to report vulnerabilities.
– The change addresses criticism that CISA was slow to add actively exploited bugs, aiming to keep the KEV catalog current.
– Submissions must meet existing criteria: an assigned CVE, confirmed exploitation, and remediation guidance.
The Cybersecurity and Infrastructure Security Agency (CISA) has introduced a new online nomination form that allows security researchers, vendors, and industry partners to directly report known exploited vulnerabilities for potential inclusion in its Known Exploited Vulnerabilities (KEV) catalog. This marks a significant shift in how outside contributors can engage with the agency’s vulnerability tracking process.
Previously, submissions were limited to email-based reporting. While that channel remains open at vulnerability@cisa.dhs.gov for those who prefer it, the new form offers a more streamlined and direct path for submitting vulnerabilities to CISA.
“Every day, CISA collaborates with security researchers and industry partners that identify and report exploited vulnerabilities. This new reporting capability enhances CISA’s ability to identify, validate, and quickly share critical threat information,” said Chris Butera, CISA’s Acting Executive Assistant Director for Cybersecurity. “Early detection and coordinated vulnerability disclosure are among the most powerful tools we have to reduce risk at scale. CISA strongly encourages researchers and organizations to share vulnerability threats and help us secure the systems Americans rely on every day.”
Why this matters now
Since launching the KEV catalog in November 2021, CISA has steadily expanded its database of actively exploited flaws. However, the agency has faced criticism for being slow to add newly discovered vulnerabilities that are already being weaponized in the wild. Opening the nomination process to outside experts is intended to accelerate that timeline and ensure the catalog remains a current, actionable resource for defenders.
To be accepted, submissions must still meet the existing criteria: an assigned CVE identifier, confirmed evidence of active exploitation, and available remediation guidance. The form does not lower the bar for entry but broadens the pipeline for reporting, which should help CISA respond faster to emerging threats.
Download: 2026 SANS Identity Threats & Defenses Survey
(Source: Help Net Security)
