Coverage Criteria
VulnCheck KEV aims to have a straightforward and easy to understand criteria for including a vulnerability in VulnCheck KEV.
What's included in VulnCheck KEV?
We include any vulnerability publicly-reported as exploited in the wild in VulnCheck KEV.
Sometimes, additional clarification questions come up, such as:
- What about vulnerabilities that have no patch from the vendor?
- What about end of life systems?
- What about vulnerabilities that do not have a CVE assigned?
- What about vulnerabilities that have a CVE assigned, but the CVE record from NIST (or MITRE) is not yet public?
In short, none of these restrict the addition of vulnerabilities to VulnCheck KEV. The only prerequisite to adding a vulnerability to VulnCheck KEV is that the vulnerability is publicly-reported as exploited in the wild.
In regards to CVE assignment, however, all vulnerabilities in VulnCheck KEV do have a CVE assigned. But on occasion, we see reports of vulnerabilities being exploited in the wild where no such CVE as been assigned. In these cases, VulnCheck, as a CVE Numbering Authority (CNA) will either contact the vendor responsible for CVE assignment or assign a CVE ourselves.