CISA Opens New Reporting Path for Researchers to Add Exploited Vulnerabilities to KEV Catalog
What Happened — The Cybersecurity and Infrastructure Security Agency (CISA) launched a public nomination form that lets researchers, vendors, and industry partners submit newly‑exploited vulnerabilities for inclusion in the Known Exploited Vulnerabilities (KEV) catalog. Submissions must include technical details and proof of exploitation.
Why It Matters for TPRM —
- Accelerates the identification of high‑risk flaws across the supply chain, giving third‑party risk managers earlier warning.
- Enables faster remediation timelines (KEV bugs are patched ~3.5× quicker than non‑KEV bugs).
- Provides a standardized, government‑backed source of exploitation intelligence that can be integrated into vendor risk assessments.
Who Is Affected — Federal agencies, critical infrastructure operators, and any private‑sector organization that relies on CISA’s KEV list to prioritize patching.
Recommended Actions —
- Incorporate KEV feed into your vulnerability management and vendor risk tooling.
- Require vendors to monitor KEV updates and demonstrate timely remediation of listed flaws.
- Update third‑party risk policies to reference CISA’s nomination process as a source of actionable intel.
Technical Notes — The KEV catalog aggregates CVEs that have confirmed exploitation in the wild, often tied to nation‑state or ransomware actors. CISA’s new intake mechanism streamlines evidence collection (proof‑of‑concept, exploit code, or observed attacks) and shortens the three‑week patch‑by‑date window. Source: The Record