CISA opens new vulnerability reporting to speed up critical cybersecurity fixes
The US Cybersecurity and Infrastructure Security Agency (CISA) has opened a new way for researchers and industry partners to report vulnerabilities. A fresh nomination form now allows private sector experts to submit bugs for inclusion in the agency’s Known Exploited Vulnerabilities (KEV) catalog. The move aims to speed up how quickly critical flaws are identified and patched across systems used by Americans. The KEV catalog acts as an official list of software and hardware weaknesses that require urgent fixes. Once added, defenders typically patch these vulnerabilities 3.5 times faster than those outside the catalog. Over the past year, the number of entries with tight deadlines—some as short as 24 hours—has grown.
CISA’s latest submission form demands detailed technical information from those reporting flaws. This ensures only well-documented vulnerabilities make it into the catalog. The agency is also pushing for stricter timelines, with Acting Director Nick Anderson and National Cyber Director Sean Cairncross proposing a three-day patching rule for all new entries. Their urgency stems from concerns over AI-powered tools accelerating exploit development. The new system expands beyond government sources, inviting non-federal researchers and vendors to contribute. Chris Butera, a CISA representative, has called on organisations to share threat data to better protect critical infrastructure. This push for broader collaboration comes as some critics argue the KEV now lags behind commercial alternatives in tracking real-world exploitation.
The updated reporting process marks a shift in how CISA gathers vulnerability intelligence. By involving more external experts, the agency hopes to close gaps in exploit tracking and defence coordination. Faster patching deadlines and stricter submission rules will likely shape how organisations respond to emerging cyber threats in the coming months.
