CISA Opens Known Exploited Vulnerabilities Catalog to Community Submissions
CISA has introduced a nomination form allowing researchers, vendors, and industry partners to submit vulnerabilities for inclusion in its Known Exploited Vulnerabilities (KEV) catalog. This democratises the vulnerability reporting process and potentially accelerates the identification of actively exploited bugs.
Affected
CISA has expanded its Known Exploited Vulnerabilities catalog submission process by creating a formal nomination mechanism. Previously, the KEV catalog relied primarily on CISA's own analysis and vendor reports. This change shifts the model toward community-driven threat intelligence collection, allowing security researchers and industry participants to directly flag vulnerabilities they observe being actively exploited in the wild.
The nomination form creates a structured intake process for evidence-based reporting. Rather than ad-hoc notifications, researchers can now submit standardized reports identifying specific vulnerabilities they believe warrant inclusion based on exploitation activity. This approach has significant operational implications: faster identification of exploited bugs means organisations can prioritise patching and detection efforts more effectively, potentially reducing the window between public disclosure and widespread defensive action.
The policy addresses a recognised gap in vulnerability intelligence. While vendor advisories and public exploit databases exist, the authoritative federal government record of actively exploited vulnerabilities has been reactive rather than proactive. Crowdsourcing nominations distributed sensor network of security researchers and incident responders who often discover exploitation activity before it reaches mainstream awareness.
Defenders should integrate this nomination pathway into their vulnerability coordination workflows. Organisations discovering evidence of active exploitation should consider submitting to CISA's form rather than relying solely on existing disclosure channels. The KEV catalog drives security guidance across federal agencies and increasingly influences private sector prioritisation, so timely community input directly affects resource allocation decisions across the sector.
This represents incremental policy maturation rather than revolutionary change, but the implications warrant attention. A crowdsourced KEV process could accelerate threat intelligence distribution, though it also introduces new coordination challenges around evidence quality, false positives, and potential misuse of the platform for reputation damage or competitive advantage. CISA's success here depends on maintaining rigorous intake standards whilst remaining responsive to legitimate community submissions.
Sources