CISA Advances cybersecurity Collaboration by Enabling Researchers to Report Exploited Vulnerabilities

In a significant move to bolster national cybersecurity, the Cybersecurity and Infrastructure Security Agency (CISA) has introduced a new pathway for external stakeholders to report vulnerabilities. This initiative allows researchers, vendors, and industry partners to contribute to the Known Exploited Vulnerabilities (KEV) catalog, a vital resource for the cybersecurity community.

New Reporting Mechanism Enhances Collaboration

On Thursday, CISA announced the launch of a nomination form designed to facilitate the reporting of vulnerabilities that require inclusion in the KEV catalog. This catalog serves as an authoritative list of software and hardware vulnerabilities that need urgent attention, typically requiring remediation within a three-week timeframe. Chris Butera, CISA’s Acting Executive Assistant Director for Cybersecurity, emphasized the importance of this new capability, stating, “Every day, CISA collaborates with security researchers and industry partners that identify and report exploited vulnerabilities. This new reporting capability enhances CISA’s ability to identify, validate, and quickly share critical threat information.”

The nomination form allows experts to submit detailed information about vulnerabilities, including evidence of exploitation. This structured approach is expected to improve the speed and accuracy of vulnerability reporting, ultimately enhancing the cybersecurity posture of both federal and private sectors.

Importance of Early Detection and Disclosure

CISA has long recognized that early detection and coordinated vulnerability disclosure are essential tools for reducing cybersecurity risks. Butera reiterated this point, urging researchers and organizations to share vulnerability threats to help secure systems that Americans rely on daily. The agency views the collaboration with external experts as crucial for identifying and mitigating vulnerabilities before they can be exploited on a larger scale.

The KEV catalog has become increasingly relevant as it allows cybersecurity defenders to prioritize vulnerabilities actively being exploited by malicious actors, including hackers and nation-state adversaries. CISA has stated that reporting vulnerabilities is essential for ensuring that these threats are discovered early, communicated responsibly, and mitigated swiftly across various networks.

Operationalizing Partnerships with the Cybersecurity Community

Robert Costello, former chief information officer at CISA, highlighted the operational significance of the new submission form. He noted that crowdsourcing exploitation intelligence through a standardized nomination process would lead to faster additions to the KEV catalog and, consequently, quicker defensive actions across the cybersecurity ecosystem. He remarked, “It’s the right move at the right time, as AI is accelerating both the discovery and exploitation of vulnerabilities at a pace that makes early, coordinated disclosure more critical than ever.”

Since its inception in 2021, the KEV catalog has grown significantly, serving as a reference point for cyber defenders outside the federal government. Organizations have been found to remediate vulnerabilities listed in the KEV 3.5 times faster than those not included, underscoring the catalog’s importance in the broader cybersecurity landscape.

Addressing the Challenge of AI-Discovered Vulnerabilities

As the cybersecurity landscape evolves, defenders face an increasing number of vulnerabilities discovered through artificial intelligence. Many of these vulnerabilities may be less significant and less likely to be exploited, complicating the task of prioritizing which vulnerabilities to address. Mayuresh Dani from Qualys pointed out that while CISA previously accepted submissions via email, the lack of transparency regarding how many vulnerabilities were added to the KEV from these submissions was a concern. The new nomination form aims to provide clearer visibility into the submission process and ensure that only validated exploitation observations make it to the KEV list.

Dani also suggested that CISA may be responding to competitive pressures from commercial alternatives to the KEV, which some now view as a trailing indicator of vulnerability exploitation. The introduction of the nomination form is a step toward enhancing the agency’s responsiveness to emerging threats.

Increasing Urgency in Vulnerability Remediation

While most vulnerabilities initially added to the KEV were given a three-week remediation deadline, there has been a noticeable increase in the number of vulnerabilities assigned shorter deadlines, including three-day and even 24-hour patch timelines. Recent reports indicate that CISA Acting Director Nick Anderson and U.S. National Cyber Director Sean Cairncross have considered limiting the KEV deadline for new bugs to just three days. This reflects growing concerns about hackers leveraging advanced AI systems to develop exploits more rapidly.

Experts agree that the new initiative to coordinate with the private sector aims to expedite defense efforts, vulnerability disclosure, and exploitation tracking. Chris Doyle from JupiterOne emphasized that improvements like this can enhance the signal quality and timeliness of the KEV catalog, ultimately benefiting defenders who need to prioritize real-world risks over theoretical severity.

The introduction of the nomination form marks a pivotal moment in the ongoing collaboration between CISA and the cybersecurity research community. By streamlining the reporting process and enhancing transparency, CISA aims to fortify the nation’s cybersecurity defenses and respond more effectively to the evolving threat landscape.

Source: therecord.media

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.