The Cybersecurity and Infrastructure Security Agency (CISA) has launched a new online nomination form designed to help security researchers, technology vendors, and industry partners report known exploited vulnerabilities more quickly and efficiently.
CISA said the new Known Exploited Vulnerabilities (KEV) Nomination Form will improve the agency’s ability to identify, validate, and publicly share information about vulnerabilities that attackers are actively exploiting against government, private sector, and critical infrastructure systems.
The agency said the form is intended to improve the quality and consistency of submissions while reinforcing what it described as a “community-driven approach” to reducing cybersecurity risks across the country.
According to CISA, the new reporting capability is aligned with the agency’s broader Vulnerability Disclosure Policy Platform and Coordinated Vulnerability Disclosure Program – both of which are designed to encourage good-faith security research and promote transparent coordination when addressing cyber threats.
CISA said public reporting of exploited vulnerabilities plays a critical role in the nation’s cybersecurity posture because it helps ensure that serious software flaws are identified early, communicated responsibly, and mitigated quickly before attackers can cause broader harm.
“Every day, CISA collaborates with security researchers and industry partners that identify and report exploited vulnerabilities,” said Chris Butera, the agency’s executive assistant director for cybersecurity.
“Early detection and coordinated vulnerability disclosure are among the most powerful tools we have to reduce risk at scale,” Butera said.
“CISA strongly encourages researchers and organizations to share vulnerability threats and help us secure the systems Americans rely on every day,” he said.
The KEV catalog itself serves as what CISA called an “authoritative source” of vulnerabilities that have been confirmed as actively exploited in the real world and includes remediation guidance intended to help organizations protect affected systems.
Researchers and organizations can submit vulnerabilities through the new online nomination form or continue using the agency’s existing email reporting process at vulnerability@cisa.dhs.gov. CISA said the KEV catalog and reporting resources are available through CISA’s Known Exploited Vulnerabilities Catalog.