For years, the United States federal government's Known Exploited Vulnerabilities (KEV) Catalog has served as an essential operational anchor for vulnerability management. Despite its authority, the cybersecurity community has wrestled with a frustrating structural bottleneck: the catalog has traditionally operated as a trailing indicator. US, DHS CISA had to privately validate in-the-wild exploitation before publishing, occasionally warning network defenders’ days or weeks after threat actors had already begun scanning at scale.[1]
CISA shattered that bottleneck by launching a new, centralized KEV Nomination Form. This capability allows independent security researchers, technology vendors, and industry partners to directly report active, real-world vulnerability exploitation.
By aligning this intake mechanism with its existing Vulnerability Disclosure Policy (VDP) Platform and Coordinated Vulnerability Disclosure (CVD) Program, CISA is executing a massive strategic shift: it is transforming the KEV from an insular government list into a crowdsourced, high-velocity threat intelligence weapon.
The criteria for a vulnerability to earn a spot on the KEV catalog have always been strict and non-negotiable:
- It must have an assigned Common Vulnerabilities and Exposures (CVE) ID.
- There must be reliable evidence of active exploitation in the wild.
- There must be clear, actionable remediation guidance (such as a vendor patch).
Historically, gathering that "reliable evidence" required extensive back-and-forth communication, data parsing from federal honeypots, or manual email triage via vulnerability@cisa.dhs.gov.
The new online nomination form systematizes this pipeline. Submitters are prompted to provide critical cryptographic and architectural evidence upfront, including the specific CVE number, precise evidence of exploitation (such as observed indicators of compromise or exploit payloads), remediation paths, and cross-vendor impact assessments. By structuring this intake, CISA can drastically compress its validation lifecycle, moving an active threat from a researcher's telemetry into the authoritative database in hours rather than days.
Organizations and researchers can access the KEV catalog and submit information through CISA.gov/known-exploited-vulnerabilities-catalog.
This update represents a critical turning point for three major sectors of our ecosystem.
- For cybersecurity professionals: closing the remediation gap. As highlighted in recent industry studies like the 2026 Verizon DBIR, the time between a vulnerability's disclosure and its active exploitation has shrunk to a matter of hours. Defenders are trapped in human limits of manual patching. By allowing the community to feed the KEV catalog directly, defenders get a high-fidelity signal much faster. When a flaw hits the KEV, it immediately cuts through the "noise" of traditional CVSS scores. It tells a SOC analyst: Stop debating theoretical severity; this bug is being actively weaponized right now.
- For enterprise and software vendors: enforcing accountability. The nomination form strips away the "maturity mirage" that some vendors rely on to delay patches. When external researchers can independently alert CISA to active exploitation through a formalized government pipeline, it forces tech providers to accelerate their Coordinated Vulnerability Disclosure timelines. Under Binding Operational Directive 22-01 (BOD 22-01), federal agencies are mandated to patch KEV flaws within highly aggressive, strict timeframes (often 15 to 25 days). By putting vulnerability on the KEV faster, the entire industry is forced to match that accelerated tempo.
- For government and critical infrastructure: true collective defense. As emphasized in recent CISA initiatives like CI Fortify, threat actors (such as nation-state groups like Volt Typhoon) excel at exploiting the siloes between private industry and public defense. The nomination form turns every enterprise SOC, MSSP, and independent bug hunter into a sensor for national security. A researcher discovering a zero-day exploit at a mid-sized utility can now instantly scale that visibility to protect the entire federal civilian executive branch (FCEB) and global private networks simultaneously.
Can this new form realistically bolster submission quality? The short answer is yes, but the curation layer will be tested. By providing a structured, formalized reporting interface, CISA is providing security researchers with a clear roadmap of exactly what information constitutes "proof of exploitation." This minimizes administrative overhead and filters out low-value alerts or theoretical Proof-of-Concepts (PoCs), which CISA explicitly states do not qualify for KEV inclusion.
The true metric of success will be CISA's internal velocity. The influx of crowd-sourced telemetry will inevitably create an analytical bottleneck unless backed by highly automated backend verification. If CISA can maintain its commitment to rapid validation, the new form will solidify the KEV catalog as a real-time shield rather than a historical ledger.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.secureworld.io/industry-news/cisa-kev-nomination-form
Comments