For years, the United States federal government's Known Exploited Vulnerabilities (KEV) Catalog has served as an essential operational anchor for vulnerability management. Yet, despite its authority, the cybersecurity community has wrestled with a frustrating structural bottleneck: the catalog has traditionally operated as a trailing indicator. U.S. CISA had to privately validate in-the-wild exploitation before publishing, occasionally warning network defenders days or weeks after threat actors had already begun scanning at scale.
CISA shattered that bottleneck by launching a new, centralized KEV Nomination Form. This capability allows independent security researchers, technology vendors, and industry partners to directly report active, real-world vulnerability exploitation.
By aligning this intake mechanism with its existing Vulnerability Disclosure Policy (VDP) Platform and Coordinated Vulnerability Disclosure (CVD) Program, CISA is executing a massive strategic shift: it is transforming the KEV from an insular government list into a crowdsourced, high-velocity threat intelligence weapon.
The criteria for a vulnerability to earn a spot on the KEV catalog have always been strict and non-negotiable:
It must have an assigned Common Vulnerabilities and Exposures (CVE) ID.
There must be reliable evidence of active exploitation in the wild.
There must be clear, actionable remediation guidance (such as a vendor patch).
Historically, gathering that "reliable evidence" required extensive back-and-forth communication, data parsing from federal honeypots, or manual email triage via vulnerability@cisa.dhs.gov.
The new online nomination form systematizes this pipeline. Submitters are prompted to provide critical cryptographic and architectural evidence upfront, including the specific CVE number, precise evidence of exploitation (such as observed indicators of compromise or exploit payloads), remediation paths, and cross-vendor impact assessments. By structuring this intake, CISA can drastically compress its validation lifecycle—moving an active threat from a researcher's telemetry into the authoritative database in hours rather than days.
Organizations and researchers can access the KEV catalog and submit information through CISA.gov/known-exploited-vulnerabilities-catalog.
This update represents a critical turning point for three major sectors of our ecosystem.
As highlighted in recent industry studies like the 2026 Verizon DBIR, the time between a vulnerability's disclosure and its active exploitation has shrunk to a matter of hours. Defenders are trapped in a human limit of manual patching.
By allowing the community to feed the KEV catalog directly, defenders get a high-fidelity signal much faster. When a flaw hits the KEV, it immediately cuts through the "noise" of traditional CVSS scores. It tells a SOC analyst: Stop debating the theoretical severity; this bug is being actively weaponized right now.
The nomination form strips away the "maturity mirage" that some vendors rely on to delay patches. When external researchers can independently alert CISA to active exploitation through a formalized government pipeline, it forces tech providers to accelerate their Coordinated Vulnerability Disclosure timelines. Under Binding Operational Directive 22-01 (BOD 22-01), federal agencies are mandated to patch KEV flaws within highly aggressive, strict timeframes (often 15 to 25 days). By putting a vulnerability on the KEV faster, the entire industry is forced to match that accelerated tempo.
As emphasized in recent CISA initiatives like CI Fortify, threat actors (such as nation-state groups like Volt Typhoon) excel at exploiting the siloes between private industry and public defense. The nomination form turns every enterprise SOC, MSSP, and independent bug hunter into a sensor for national security. A researcher discovering a zero-day exploit at a mid-sized utility can now instantly scale that visibility to protect the entire federal civilian executive branch (FCEB) and global private networks simultaneously.
We asked a few experts from solution providers for their input on the new CISA form.
Robert Costello, Chief Digital and Information Officer at Merlin Group, said:
"This is a strong example of CISA operationalizing its partnership with the cybersecurity research community in a very practical way. Crowdsourcing exploitation intelligence through a standardized nomination process means faster KEV additions and, ultimately, faster defensive action across the whole ecosystem. It's the right move at the right time, as AI is accelerating both the discovery and exploitation of vulnerabilities at a pace that makes early, coordinated disclosure more critical than ever."
Mayuresh Dani, Security Research Manager at Qualys Threat Research Unit, said:
"Yes, this is a new formal, structured, public-facing submission mechanism. Earlier, it lived as a plain, unstructured email address mentioned in BOD 22-01 guidelines. Organizations or individuals with information about an exploited vulnerability that is not currently listed on the KEV were previously encouraged to contact CISA by email and report their evidence."
"Before this, there were no external reports on how many vulnerabilities were added to the KEV based on submissions to this email address. With this form, CVE-ID, clear mitigation guidelines and exploitation evidence is made mandatory as a part of the current submission process. Vendor and product information is also requested as a part of the information collection process. Hopefully, this functionality will now provide visibility into what exactly happens post submission. What needs to be seen is how this information is verified by CISA and what guardrails against incorrect and false reporting are put in by CISA so that only real and validated exploitation observations make it to the KEV list. It's possible that CISA is trying to play catch up, as commercial alternatives to CISA KEV are available, and the fact that CISA KEV is a trailing indicator of vulnerability exploitation."
Can this new form realistically bolster submission quality? The short answer is yes, but the curation layer will be tested. By providing a structured, formalized reporting interface, CISA is providing security researchers with a clear roadmap of exactly what information constitutes "proof of exploitation." This minimizes administrative overhead and filters out low-value alerts or theoretical proof-of-concepts (PoCs), which CISA explicitly states do not qualify for KEV inclusion.
However, the true metric of success will be CISA's internal velocity. The influx of crowd-sourced telemetry will inevitably create an analytical bottleneck unless backed by highly-automated backend verification. If CISA can maintain its commitment to rapid validation, the new form will solidify the KEV catalog as a real-time shield rather than a historical ledger.