The Cybersecurity and Infrastructure Security Agency is now letting security experts nominate vulnerabilities to the agency’s Known Exploited Vulnerabilities catalog.

CISA on Thursday published a form that technology vendors, independent researchers and anyone else can use to warn CISA that hackers are exploiting a vulnerability and it should be added to the KEV.

“This new reporting capability enhances CISA’s ability to identify, validate, and quickly share critical threat information,” Chris Butera, CISA’s acting executive assistant director for cybersecurity, said in a statement. “Early detection and coordinated vulnerability disclosure are among the most powerful tools we have to reduce risk at scale.”

The form asks submitters to provide as much information as possible about a vulnerability, including its CVE number, evidence of exploitation and mitigation guidance. The form also asks whether the vulnerability affects multiple vendors or products.

CISA has struggled in the past to keep the KEV up to date. In 2023, several examples of CISA belatedly warning of exploitation prompted one expert to call it “a trailing indicator” of hacking activity.

Fast-growing catalog

CISA has steadily been expanding the KEV since its launch in November 2021 alongside a requirement that agencies patch newly listed flaws within short time windows. As of Thursday morning, the catalog listed roughly 1,600 vulnerabilities. CISA has updated the KEV six times in the past two weeks, including listing seven new vulnerabilities on Thursday.

The growth of the catalog comes as another agency struggles to keep up with a flood of newly disclosed flaws. The National Institute of Standards and Technology has spent decades enriching its own vulnerability database with detailed exploitation and mitigation information, but NIST recently announced that it would have to scale back that enrichment work and prioritize only the most serious flaws.