Skip to main content
CybersecurityVulnerability Management

CISA Opens KEV Nominations to Bolster Vulnerability Intelligence

Professional in a government agency setting near a whiteboard or screen.

"CISA’s KEV Nomination Form aligns with our Vulnerability Disclosure Policy (VDP) Platform and Coordinated Vulnerability Disclosure (CVD) Program," the agency explained, emphasizing that "public reporting to CISA is essential to the nation’s cybersecurity posture, helping ensure that exploited vulnerabilities are discovered early, communicated responsibly, and mitigated quickly across federal, private, and critical infrastructure networks."

CISA’s new KEV nomination channel and what it does

The Cybersecurity & Infrastructure Security Agency announced it will accept nominations to its Known Exploited Vulnerabilities (KEV) catalog through a formal submission mechanism. The agency framed the change as an alignment with its Vulnerability Disclosure Policy (VDP) Platform and Coordinated Vulnerability Disclosure (CVD) Program and said the effort "encourages good faith security research and promotes transparent, coordinated remediation of cyber risks."

According to the announcement cited in the source material, the KEV Nomination Form is intended to allow vendors, researchers and industry partners to report exploited vulnerabilities directly to CISA — moving from ad hoc email reporting toward a standardized intake.

Crowdsourcing intelligence: Robert Costello’s assessment

Robert Costello, Chief Digital and Information Officer at Merlin Group, described the move as "a strong example of CISA operationalizing its partnership with the cybersecurity research community in a very practical way." Costello argued that "crowdsourcing exploitation intelligence through a standardized nomination process means faster KEV additions and, ultimately, faster defensive action across the whole ecosystem."

He also linked the change to wider technological pressures, noting that "AI is accelerating both the discovery and exploitation of vulnerabilities at a pace that makes early, coordinated disclosure more critical than ever," and framing the nomination form as timely given that acceleration.

Structured submissions and visibility: Mayuresh Dani’s perspective

Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, called the form "a new formal, structured, public-facing submission mechanism." Dani contrasted it with prior practice, noting that the reporting channel "earlier... lived as a plain, unstructured email address mentioned in BOD 22-01 guidelines."

Under the new form, submission fields make certain elements mandatory: CVE-ID, clear mitigation guidelines and exploitation evidence must be provided, and vendor and product information is requested as part of the information collection process. Dani observed that "before this, there were no external reports on how many vulnerabilities were added to the KEV based on submissions to this email address," and added the hope that "this functionality will now provide visibility into what exactly happens post-submission."

Verification and guardrails: outstanding operational questions

Dani also flagged an operational question central to whether the new intake will succeed: "What needs to be seen is how this information is verified by CISA and what guardrails against incorrect and false reporting are put in by CISA so that only real and validated exploitation observations make it to the KEV list." That sentence captures both an opportunity and a constraint — the value of faster, broader reporting depends on robust validation processes.

He further noted a market context: "It's possible that CISA is trying to play catch up, as commercial alternatives to CISA KEV are available and the fact that CISA KEV is a trailing indicator of vulnerability exploitation." In that reading, the nomination form is both a response to demand for timelier intelligence and an attempt to reassert CISA’s role as a central repository for validated exploitation data.

What this means for vendors, researchers, and federal operators

  • Vendors and product teams: The form’s requirement for vendor and product information, CVE-ID and mitigation guidance creates a clearer expectation about the evidence and documentation CISA will collect when a vulnerability is nominated.
  • Security researchers and industry partners: The standardized channel converts informal, unstructured tips into a structured submission; Costello and Dani both frame that as a pathway to faster KEV additions and more transparency about outcomes.
  • Federal and critical infrastructure operators: The agency’s statement that public reporting is "essential to the nation’s cybersecurity posture" signals that CISA expects submissions to support broader mitigation across federal, private, and critical infrastructure networks — provided verification and guardrails prevent false positives from entering the KEV.

The nomination form is a change in process with a clear intent: widen the aperture of exploited-vulnerability reporting, make submissions more structured, and provide better visibility into remediation. It leaves two concrete, named questions hanging in the balance: how CISA will verify reports and what guardrails it will deploy to keep inaccurate claims out of the KEV — and whether the new mechanism will close the gap Dani identifies between CISA’s KEV and existing commercial alternatives. As Mayuresh Dani put it, "what needs to be seen" now is how those verification and guardrail choices play out; if they work, the form could finally deliver the visibility into post-submission outcomes that the source material says many observers are hoping for.

Read the original story