├── .github ├── SECURITY.md ├── issue_template.md └── pull_request_template.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── known_exploited_vulnerabilities (1).json ├── known_exploited_vulnerabilities (2).csv ├── known_exploited_vulnerabilities (2).json ├── known_exploited_vulnerabilities (3).csv ├── known_exploited_vulnerabilities (3).json ├── known_exploited_vulnerabilities (4).csv ├── known_exploited_vulnerabilities.csv ├── known_exploited_vulnerabilities.json └── known_exploited_vulnerabilities_schema.json /.github/SECURITY.md: -------------------------------------------------------------------------------- 1 | # cisagov Security Policy 2 | 3 | Please see the [DHS Vulnerability Disclosure Policy](https://www.dhs.gov/vulnerability-disclosure-policy) for details about how we handle vulnerability disclosure. 4 | -------------------------------------------------------------------------------- /.github/issue_template.md: -------------------------------------------------------------------------------- 1 | ## Expected behavior 2 | 3 | *Describe in as much detail as you can what you expected to see.* 4 | 5 | ## Observed behavior 6 | 7 | *Describe in as much detail as you can what you did see.* 8 | 9 | ## Notes 10 | 11 | *Anything else?* 12 | 13 | ---- 14 | 15 | Please be familiar with this repo's [CONTRIBUTING](/CONTRIBUTING.md) guidelines. 16 | 17 | Specifically, for suggesting a new KEV entry, please email [KEV@cisa.dhs.gov](mailto:KEV@cisa.dhs.gov), which is monitored directly by CISA employees responsible for validating new KEV entries. For more information on what qualifies for the KEV, see [BOD 22-01](https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities). 18 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | ## Expected behavior 2 | 3 | *Describe in as much detail as you can what you expected to see.* 4 | 5 | ## Observed behavior 6 | 7 | *Describe in as much detail as you can what you did see.* 8 | 9 | ## Testability 10 | 11 | *Describe how someone could determine that your pull request does what you say it does.* 12 | 13 | ## Notes 14 | 15 | *Anything else?* 16 | 17 | ---- 18 | 19 | Please be familiar with this repo's [CONTRIBUTING](/CONTRIBUTING.md) guidelines. 20 | 21 | For suggesting a new KEV entry, please email [KEV@cisa.dhs.gov](mailto:KEV@cisa.dhs.gov), which is monitored directly by CISA employees responsible for validating new KEV entries. For more information on what qualifies for the KEV, see [BOD 22-01](https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities). 22 | 23 | Also note: While we will make every effort to merge accepted PR cleanly to the data files (thus, preserving GitHub credit), there will be occasions where your change will be overwritten in a future update on CISA's backend, since this repository is ultimately a copy of the official data files hosted at https://www.cisa.gov. This repo's maintainers will make the determination, on a case-by-case basis, on how to best resolve PRs as they come up. That said, we very much appreciate your efforts to make the KEV data files more accurate! 24 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing to kev-data 2 | 3 | Thank you so much for your interest in making CISA's Known Exploited Vulnerabilities catalog better! This repo is a mirror of the official source of KEV data, at [https://www.cisa.gov/known-exploited-vulnerabilities-catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) (which is short linked at [https://cisa.gov/KEV](https://cisa.gov)). 4 | 5 | ## Expected Issues 6 | 7 | We expect most of the public activity on this repo to be in the form of issues tracked at [https://github.com/cisagov/kev-data/issues](https://github.com/cisagov/kev-data/issues). While of course we strive for an error-free experience with KEV, it's possible for the occasional bug to crop up, such as: 8 | * Typos or misspellings of product or vendor names 9 | * Mischaracterized CWE (Common Weakness Enumeration) identifiers 10 | * Transposed CVE IDs 11 | * Duplicate entries 12 | * JSON schema violations 13 | * Malformed CSV entries 14 | * Broken links to external resources 15 | 16 | If you see any bugs like these, we sure would appreciate knowing about them so we can fix them! 17 | 18 | ## Unexpected Issues 19 | 20 | On the other hand, there are some issues that we don't expect to address in this repo. Namely, we don't intend to use this repository to nominate or investigate reports of exploitation of a vulnerability, to request a CVE ID for a newly discovered vulnerability, or examine recommended patches or updates. Those kinds of requests should instead be directed to [KEV@cisa.dhs.gov](mailto:KEV@cisa.dhs.gov), which is directly monitored by the CISA employees responsible for maintaining the KEV. 21 | 22 | In short, this repo's issues tracker is best used for technical issues involving the KEV data and its formatting. The content of the KEV and which vulnerabilities qualify for inclusion is managed directly at CISA, as required by [BOD 22-01](https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities). 23 | 24 | ## Pull Requests 25 | 26 | While we will make every effort to merge accepted PRs cleanly to the data files (thus, preserving GitHub credit), there will be occasions where your change will be overwritten in a future update on CISA's backend, since this repository is ultimately a copy of the official data files hosted at https://www.cisa.gov. This repo's maintainers will make the determination, on a case-by-case basis, on how to best resolve PRs as they come up. That said, we very much appreciate your efforts to make the KEV data files more accurate! -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The KEV database is distributed under the Creative Commons 0 1.0 License. You may use this data in any legal manner but note that information provided at any 3rd party links included in the KEV database are bound by the policies and licenses of those 3rd party websites. Use of the information does not authorize you to use the CISA Logo or DHS Seal, nor should such use be interpreted as an endorsement by CISA or DHS. 2 | 3 | 4 | Creative Commons Legal Code 5 | 6 | CC0 1.0 Universal 7 | 8 | CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE 9 | LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN 10 | ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS 11 | INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES 12 | REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS 13 | PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM 14 | THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED 15 | HEREUNDER. 16 | 17 | Statement of Purpose 18 | 19 | The laws of most jurisdictions throughout the world automatically confer 20 | exclusive Copyright and Related Rights (defined below) upon the creator 21 | and subsequent owner(s) (each and all, an "owner") of an original work of 22 | authorship and/or a database (each, a "Work"). 23 | 24 | Certain owners wish to permanently relinquish those rights to a Work for 25 | the purpose of contributing to a commons of creative, cultural and 26 | scientific works ("Commons") that the public can reliably and without fear 27 | of later claims of infringement build upon, modify, incorporate in other 28 | works, reuse and redistribute as freely as possible in any form whatsoever 29 | and for any purposes, including without limitation commercial purposes. 30 | These owners may contribute to the Commons to promote the ideal of a free 31 | culture and the further production of creative, cultural and scientific 32 | works, or to gain reputation or greater distribution for their Work in 33 | part through the use and efforts of others. 34 | 35 | For these and/or other purposes and motivations, and without any 36 | expectation of additional consideration or compensation, the person 37 | associating CC0 with a Work (the "Affirmer"), to the extent that he or she 38 | is an owner of Copyright and Related Rights in the Work, voluntarily 39 | elects to apply CC0 to the Work and publicly distribute the Work under its 40 | terms, with knowledge of his or her Copyright and Related Rights in the 41 | Work and the meaning and intended legal effect of CC0 on those rights. 42 | 43 | 1. Copyright and Related Rights. A Work made available under CC0 may be 44 | protected by copyright and related or neighboring rights ("Copyright and 45 | Related Rights"). Copyright and Related Rights include, but are not 46 | limited to, the following: 47 | 48 | i. the right to reproduce, adapt, distribute, perform, display, 49 | communicate, and translate a Work; 50 | ii. moral rights retained by the original author(s) and/or performer(s); 51 | iii. publicity and privacy rights pertaining to a person's image or 52 | likeness depicted in a Work; 53 | iv. rights protecting against unfair competition in regards to a Work, 54 | subject to the limitations in paragraph 4(a), below; 55 | v. rights protecting the extraction, dissemination, use and reuse of data 56 | in a Work; 57 | vi. database rights (such as those arising under Directive 96/9/EC of the 58 | European Parliament and of the Council of 11 March 1996 on the legal 59 | protection of databases, and under any national implementation 60 | thereof, including any amended or successor version of such 61 | directive); and 62 | vii. other similar, equivalent or corresponding rights throughout the 63 | world based on applicable law or treaty, and any national 64 | implementations thereof. 65 | 66 | 2. Waiver. To the greatest extent permitted by, but not in contravention 67 | of, applicable law, Affirmer hereby overtly, fully, permanently, 68 | irrevocably and unconditionally waives, abandons, and surrenders all of 69 | Affirmer's Copyright and Related Rights and associated claims and causes 70 | of action, whether now known or unknown (including existing as well as 71 | future claims and causes of action), in the Work (i) in all territories 72 | worldwide, (ii) for the maximum duration provided by applicable law or 73 | treaty (including future time extensions), (iii) in any current or future 74 | medium and for any number of copies, and (iv) for any purpose whatsoever, 75 | including without limitation commercial, advertising or promotional 76 | purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each 77 | member of the public at large and to the detriment of Affirmer's heirs and 78 | successors, fully intending that such Waiver shall not be subject to 79 | revocation, rescission, cancellation, termination, or any other legal or 80 | equitable action to disrupt the quiet enjoyment of the Work by the public 81 | as contemplated by Affirmer's express Statement of Purpose. 82 | 83 | 3. Public License Fallback. Should any part of the Waiver for any reason 84 | be judged legally invalid or ineffective under applicable law, then the 85 | Waiver shall be preserved to the maximum extent permitted taking into 86 | account Affirmer's express Statement of Purpose. In addition, to the 87 | extent the Waiver is so judged Affirmer hereby grants to each affected 88 | person a royalty-free, non transferable, non sublicensable, non exclusive, 89 | irrevocable and unconditional license to exercise Affirmer's Copyright and 90 | Related Rights in the Work (i) in all territories worldwide, (ii) for the 91 | maximum duration provided by applicable law or treaty (including future 92 | time extensions), (iii) in any current or future medium and for any number 93 | of copies, and (iv) for any purpose whatsoever, including without 94 | limitation commercial, advertising or promotional purposes (the 95 | "License"). The License shall be deemed effective as of the date CC0 was 96 | applied by Affirmer to the Work. Should any part of the License for any 97 | reason be judged legally invalid or ineffective under applicable law, such 98 | partial invalidity or ineffectiveness shall not invalidate the remainder 99 | of the License, and in such case Affirmer hereby affirms that he or she 100 | will not (i) exercise any of his or her remaining Copyright and Related 101 | Rights in the Work or (ii) assert any associated claims and causes of 102 | action with respect to the Work, in either case contrary to Affirmer's 103 | express Statement of Purpose. 104 | 105 | 4. Limitations and Disclaimers. 106 | 107 | a. No trademark or patent rights held by Affirmer are waived, abandoned, 108 | surrendered, licensed or otherwise affected by this document. 109 | b. Affirmer offers the Work as-is and makes no representations or 110 | warranties of any kind concerning the Work, express, implied, 111 | statutory or otherwise, including without limitation warranties of 112 | title, merchantability, fitness for a particular purpose, non 113 | infringement, or the absence of latent or other defects, accuracy, or 114 | the present or absence of errors, whether or not discoverable, all to 115 | the greatest extent permissible under applicable law. 116 | c. Affirmer disclaims responsibility for clearing rights of other persons 117 | that may apply to the Work or any use thereof, including without 118 | limitation any person's Copyright and Related Rights in the Work. 119 | Further, Affirmer disclaims responsibility for obtaining any necessary 120 | consents, permissions or other rights required for any use of the 121 | Work. 122 | d. Affirmer understands and acknowledges that Creative Commons is not a 123 | party to this document and has no duty or obligation with respect to 124 | this CC0 or use of the Work. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Welcome to kev-data 2 | 3 | This repository is home to the data files that make up the Known Exploited Vulnerabilities (KEV) catalog. The data is originally sourced from https://www.cisa.gov/known-exploited-vulnerabilities-catalog, which is short linked at https://cisa.gov/kev. 4 | 5 | ## File formats 6 | 7 | Currently, KEV data is produced in two formats, [CSV](known_exploited_vulnerabilities.csv) (Comma-Separated Values) and [JSON](known_exploited_vulnerabilities.json) (JavaScript Object Notation). 8 | 9 | Additionally, this repo also contains the most current [JSON schema](known_exploited_vulnerabilities_schema.json) for the KEV data. 10 | 11 | ## Update schedule 12 | 13 | This repository is updated whenever the [KEV](https://cisa.gov/KEV) is updated. Technically, this repo is updated shortly after the canonical source at cisa.gov is updated, which typically happens weekdays during normal US Eastern business hours when there are new or updated KEV entries. Users should expect both sources ([cisa.gov](https://cisa.gov/KEV) and [github.com](https://github.com/cisagov/kev-data/blob/main/README.md)) to be synchronized within minutes of each other. 14 | 15 | The JSON schema will also remain in sync, though that file is not expected to be updated frequently (perhaps a few times per year). 16 | 17 | ## Contributing 18 | 19 | We welcome contribution suggestions from the public to make this repository better and more accurate. Please see this repository's [CONTRIBUTING.md](CONTRIBUTING.md) for more detail. In summary, we expect issues and pull requests to address purely technical issues like typos in prose, broken links to remediation guidance, accidental schema violations, and the like. 20 | 21 | Notably, **this is not a repo for requesting additions or deletions of KEV entries**. The KEV is managed by CISA directly, and CISA's requirements for KEV addition are fairly strict, relying on the authority of [BOD 22-01](https://www.cisa.gov/news-events/directives/bod-22-01-reducing-significant-risk-known-exploited-vulnerabilities). 22 | 23 | Tips or suggestions about individual entries (beyond technical bug reports) should be directed via email to [KEV@mail.cisa.dhs.gov](mailto:KEV@mail.cisa.dhs.gov). 24 | 25 | ## Usage 26 | 27 | The purpose of this repo of KEV data is to enable easier usage of the KEV JSON and CSV files that CISA produces. GitHub provides a rich API for querying and downloading data sets, so oftentimes, code that is developed and maintained on GitHub (and beyond) has an easier time consuming data sources from GitHub than they might from US government websites. 28 | 29 | In addition, the git commit history provided by GitHub can make tracking changes to data sources like the KEV easier and more transparent. The KEV, in particular, has no inline file revision history or log that's easily accessible after the fact. Related vulnerability tracking projects, such as the [CVE List](https://github.com/CVEProject/cvelistV5) and [Vulnrichment](https://github.com/cisagov/vulnrichment) benefit from this kind of public logging and public issue tracking functionality. 30 | 31 | ## Licensing 32 | 33 | This data repository is licensed under the CC0 license, which allows for universal public domain use of the information here. This is identical to the licensing found at https://www.cisa.gov/sites/default/files/licenses/kev/license.txt. 34 | -------------------------------------------------------------------------------- /known_exploited_vulnerabilities_schema.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://json-schema.org/draft-07/schema#", 3 | "type": "object", 4 | "title": "CISA Catalog of Known Exploited Vulnerabilities", 5 | "description": "A catalog of known exploited vulnerabilities that carry significant risk to the federal enterprise", 6 | "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", 7 | "properties": { 8 | "catalogVersion": { 9 | "description": "Version of the known exploited vulnerabilities catalog", 10 | "type": "string" 11 | }, 12 | "dateReleased": { 13 | "description": "Date-time of Catalog Release in the format YYYY-MM-DDTHH:mm:ss.sssZ", 14 | "type": "string", 15 | "format": "date-time" 16 | }, 17 | "count": { 18 | "description": "Total number of Known Exploited Vulnerabilities in the catalog", 19 | "type": "integer" 20 | }, 21 | "vulnerabilities": { 22 | "description": "The exploited vulnerabilities included in this catalog", 23 | "type": "array", 24 | "items": { 25 | "$ref": "#/$defs/vulnerability" 26 | } 27 | } 28 | }, 29 | "required": ["catalogVersion", "dateReleased", "count", "vulnerabilities"], 30 | "$defs": { 31 | "vulnerability": { 32 | "type": "object", 33 | "properties": { 34 | "cveID": { 35 | "description": "The CVE ID of the vulnerability in the format CVE-YYYY-NNNN, note that the number portion can have more than 4 digits", 36 | "type": "string", 37 | "pattern": "^CVE-[0-9]{4}-[0-9]{4,19}$" 38 | }, 39 | "vendorProject": { 40 | "description": "The vendor or project name for the vulnerability", 41 | "type": "string" 42 | }, 43 | "product": { 44 | "description": "The vulnerability product", 45 | "type": "string" 46 | }, 47 | "vulnerabilityName": { 48 | "description": "The name of the vulnerability", 49 | "type": "string" 50 | }, 51 | "dateAdded": { 52 | "description": "The date the vulnerability was added to the catalog in the format YYYY-MM-DD", 53 | "type": "string", 54 | "format": "date" 55 | }, 56 | "shortDescription": { 57 | "description": "A short description of the vulnerability", 58 | "type": "string" 59 | }, 60 | "requiredAction": { 61 | "description": "The required action to address the vulnerability", 62 | "type": "string" 63 | }, 64 | "dueDate": { 65 | "description": "The date the required action is due in the format YYYY-MM-DD", 66 | "type": "string", 67 | "format": "date" 68 | }, 69 | "knownRansomwareCampaignUse": { 70 | "description": "'Known' if this vulnerability is known to have been leveraged as part of a ransomware campaign; 'Unknown' if CISA lacks confirmation that the vulnerability has been utilized for ransomware", 71 | "type": "string" 72 | }, 73 | "notes": { 74 | "description": "Any additional notes about the vulnerability", 75 | "type": "string" 76 | }, 77 | "cwes": { 78 | "description": "Common Weakness Enumeration (CWE) codes associated with this vulnerability. CWEs are in the format CWE-NNNN; note that the number portion can have any number of digits", 79 | "type": "array", 80 | "items": { 81 | "type": "string", 82 | "pattern": "^CWE-([0-9])+$" 83 | } 84 | } 85 | }, 86 | "required": [ 87 | "cveID", 88 | "vendorProject", 89 | "product", 90 | "vulnerabilityName", 91 | "dateAdded", 92 | "shortDescription", 93 | "requiredAction", 94 | "dueDate" 95 | ] 96 | } 97 | } 98 | } 99 | --------------------------------------------------------------------------------