Connect with us

Hi, what are you looking for?



CISA Announces CVE Enrichment Project ‘Vulnrichment’

CISA’s Vulnrichment project is adding important information to CVE records to help improve vulnerability management processes.


The US cybersecurity agency CISA on Wednesday announced a new project that aims to add important information to CVE records in an effort to help organizations improve their vulnerability management processes.

The project is named Vulnrichment and its goal is the enrichment of public CVE records with Common Platform Enumeration (CPE), Common Vulnerability Scoring System (CVSS), Common Weakness Enumeration (CWE), and Known Exploited Vulnerabilities (KEV) data.

CISA says it has already enriched 1,300 CVEs — particularly new and recent CVEs — and is asking all CVE numbering authorities (CNAs) to provide complete information when submitting vulnerability information to 

The agency says it’s initially taking each CVE through a Stakeholder-Specific Vulnerability Categorization (SSVC) scoring process. 

SSVC, developed by CISA in collaboration with Carnegie Mellon University’s Software Engineering Institute, provides a vulnerability analysis methodology that accounts for a vulnerability’s exploitation status, safety impact, and prevalence of the affected product.

In the next phase, further analysis is conducted for vulnerabilities that have a high-impact, are automatable, have PoC exploit code available, or are already being exploited in attacks.  

CISA says the information added as part of the Vulnrichment project can help organizations prioritize remediation efforts and understand trends, and it can drive vendors to address entire classes of vulnerabilities.

The Vulnrichment project is hosted on GitHub and each enriched CVE entry is available in JSON format to allow organizations to easily incorporate the updates into their vulnerability management processes. 

Advertisement. Scroll to continue reading.

CISA is often the first to issue public warnings about a vulnerability being exploited in the wild. The agency’s KEV catalog, which includes over 1,100 exploited flaw entries, has become an important resource for vulnerability management.

Related: Zoom Unveils Open Source Vulnerability Impact Scoring System

Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative

Related: CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.