The federal cybersecurity agency has created a new pathway for people outside of the U.S. government to report vulnerabilities to its catalog of bugs that have been exploited. ### Streamlined Vulnerability Reporting **CISA** announced the creation of a nomination form on Thursday that they said enables “researchers, vendors, and industry partners” to report bugs that need to be added to the **Known Exploited Vulnerabilities (KEV)** catalog — a key tool that has become a critical resource for the cybersecurity community. “Every day, **CISA** collaborates with security researchers and industry partners that identify and report exploited vulnerabilities. This new reporting capability enhances **CISA**’s ability to identify, validate, and quickly share critical threat information,” said Chris Butera, **CISA**’s Acting Executive Assistant Director for Cybersecurity. “Early detection and coordinated vulnerability disclosure are among the most powerful tools we have to reduce risk at scale. **CISA** strongly encourages researchers and organizations to share vulnerability threats and help us secure the systems Americans rely on every day.” Experts can now submit vulnerabilities through a [nomination form](https://cisasurvey.gov1.qualtrics.com/jfe/form/SV_1Zwu52kgK2OYf3w) or over email and have to provide information about the bug as well as evidence of its exploitation. ### The Importance of the KEV Catalog The catalog, known colloquially as the KEV, is meant to provide cybersecurity defenders within the federal government with an authoritative list of software and hardware vulnerabilities that need to be patched within a certain time frame — typically three weeks. It has allowed defenders to focus on remediating vulnerabilities that are being actively exploited by hackers and nation-state actors. The agency said reporting bugs to **CISA** is “essential to the nation’s cybersecurity posture, helping ensure that exploited vulnerabilities are discovered early, communicated responsibly, and mitigated quickly across federal, private, and critical infrastructure networks.” Robert Costello, who served as **CISA**’s chief information officer for nearly five years before leaving in March, said the new submission form is a way for the agency to operationalize its partnership with the cybersecurity research community in a very practical way. “Crowdsourcing exploitation intelligence through a standardized nomination process means faster KEV additions and, ultimately, faster defensive action across the whole ecosystem,” he said. “It's the right move at the right time, as AI is accelerating both the discovery and exploitation of vulnerabilities at a pace that makes early, coordinated disclosure more critical than ever.” ### Impact and Future Considerations As the catalog has grown [since debuting in 2021](https://therecord.media/cisa-known-exploited-vulnerability-catalog-passes-1000), cyber defenders outside of the federal government have adopted it as a reference point to know what bugs are being targeted. Experts found that organizations remediate vulnerabilities added to the KEV [3.5 times faster than non-KEV bugs](https://therecord.media/kev-list-vulnerabilities-patched-significantly-faster). It has become even more critical as defenders figure out how to contend with a growing deluge of AI-discovered vulnerabilities — many of which are insignificant and unlikely to be exploited. **Qualys**’ Mayuresh Dani said **CISA** previously accepted submissions via email but noted that there were no external reports on how many vulnerabilities were added to the KEV based on submissions to this email address. The new form forces submitters to add critical, detailed information. “Hopefully, this functionality will now provide visibility into what exactly happens post submission,” Dani told Recorded Future News. “What needs to be seen is how this information is verified by **CISA** and what guardrails against incorrect and false reporting are put in by **CISA** so that only real and validated exploitation observations make it to the KEV list.” Dani added that **CISA** may be trying to play catch-up because commercial alternatives to the KEV are available and some now consider it a trailing indicator of vulnerability exploitation. While nearly all bugs initially added to the KEV were given a three-week remediation deadline, the number of vulnerabilities given and [even 24-hour patch deadlines](https://therecord.media/cisa-orders-agencies-patch-citrix-bleed-2) has increased in the last year. Earlier this month, Reuters [reported](https://www.reuters.com/legal/litigation/us-officials-weigh-cutting-deadlines-fix-digital-flaws-amid-worries-over-ai-2026-05-01/) that **CISA** Acting Director Nick Anderson and U.S. National Cyber Director Sean Cairncross floated the possibility of limiting the KEV deadline for all new bugs to just three days out of concern for hackers now using powerful, emerging AI-systems to develop exploits for vulnerabilities in a shorter amount of time. Experts said the new effort to coordinate with the private sector was designed to speed up defense efforts, vulnerability disclosure and exploitation tracking. “Improvements like this can help strengthen the signal quality and timeliness of KEV, which ultimately benefits defenders trying to prioritize real-world risk over theoretical severity,” said **JupiterOne**’s Chris Doyle.