Coverage Criteria
Only vulnerabilities reported to have been exploited in the wild are included in VulnCheck KEV.
VulnCheck KEV aims to have a straightforward and easy to understand criteria for including a vulnerability in VulnCheck KEV.
What's included in VulnCheck KEV?
Any vulnerability publicly-reported as exploited in the wild is included in VulnCheck KEV.
Sometimes, additional clarification questions come up, such as:
- What about vulnerabilities that have no patch from the vendor?
- What about end of life systems?
- What about vulnerabilities that do not have a CVE assigned?
- What about vulnerabilities that have a CVE assigned, but the CVE record from NIST (or MITRE) is not yet public?
In short, none of these restrict the addition of vulnerabilities to VulnCheck KEV. The only prerequisite to adding a vulnerability to VulnCheck KEV is that the vulnerability is publicly-reported as exploited in the wild.
In regards to CVE assignment, however, all vulnerabilities in VulnCheck KEV do have a CVE assigned. But on occasion, we see reports of vulnerabilities being exploited in the wild where no such CVE as been assigned. In these cases, VulnCheck, as a CVE Numbering Authority (CNA) will either contact the vendor responsible for CVE assignment or assign a CVE ourselves.
