CISA’s new KEV nomination form opens reporting to vendors and researchers

The Cybersecurity and Infrastructure Security Agency launched a new nomination form that lets researchers, vendors, and industry partners report known exploited vulnerabilities for possible inclusion in its KEV catalog.

The form gives outside contributors a direct way to submit vulnerabilities to CISA. Email submissions remain available at vulnerability@cisa.dhs.gov for organizations and individuals who prefer that route.

“Every day, CISA collaborates with security researchers and industry partners that identify and report exploited vulnerabilities. This new reporting capability enhances CISA’s ability to identify, validate, and quickly share critical threat information,” Chris Butera, CISA’s Acting Executive Assistant Director for Cybersecurity said. “Early detection and coordinated vulnerability disclosure are among the most powerful tools we have to reduce risk at scale. CISA strongly encourages researchers and organizations to share vulnerability threats and help us secure the systems Americans rely on every day.”

Context for the change

CISA started the KEV catalog in November 2021 and has grown it steadily. The agency has drawn criticism for being slow to add actively exploited bugs. Opening up outside reporting should help the agency add actively exploited bugs faster and keep the list current.

Submissions still have to meet the existing bar: an assigned CVE, confirmed exploitation, and remediation guidance.

Download: 2026 SANS Identity Threats & Defenses Survey