CISA Launches Form for Researchers to Report Exploited Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a new nomination form enabling security researchers, vendors, and industry partners to submit vulnerabilities for inclusion in the Known Exploited Vulnerabilities (KEV) catalog. Announced by Acting Executive Assistant Director for Cybersecurity Chris Butera, the initiative formalizes external reporting mechanisms that previously lacked a standardized pathway. Submitters must provide detailed vulnerability information alongside evidence of active exploitation, with the agency targeting a three-week remediation window for cataloged flaws. The KEV catalog, which debuted in November 2021, has become an authoritative resource for federal cybersecurity defenders prioritizing patch remediation efforts.

Robert Costello, CISA's former Chief Information Officer who departed in March, praised the move as operationalizing partnerships with the research community through a "crowdsourcing exploitation intelligence" model. Studies indicate organizations remediate KEV-listed vulnerabilities 3.5 times faster than unlisted bugs, underscoring the catalog's operational significance. As AI accelerates both vulnerability discovery and exploitation at unprecedented rates, Costello emphasized that early coordinated disclosure has become "more critical than ever" for defensive cybersecurity posture. The streamlined nomination process allows threat intelligence to propagate faster across federal, private sector, and critical infrastructure networks.

Organizations leveraging CISA's KEV data should verify their exposure through comprehensive security assessments. Use our email breach checker to determine if corporate accounts appear in known data dumps, and employ the SSL/TLS checker to validate certificate configurations on externally facing systems. For infrastructure hardening, the port scanner identifies unnecessary exposure points that attackers frequently target for initial access. CISA's expanded reporting capability represents a significant shift toward collaborative vulnerability management at national scale.