SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CISA Announces CVE Enrichment Project ‘Vulnrichment’

CISA’s Vulnrichment project is adding important information to CVE records to help improve vulnerability management processes.
CISA

The US cybersecurity agency CISA on Wednesday announced a new project that aims to add important information to CVE records in an effort to help organizations improve their vulnerability management processes.

The project is named Vulnrichment and its goal is the enrichment of public CVE records with Common Platform Enumeration (CPE), Common Vulnerability Scoring System (CVSS), Common Weakness Enumeration (CWE), and Known Exploited Vulnerabilities (KEV) data.

CISA says it has already enriched 1,300 CVEs — particularly new and recent CVEs — and is asking all CVE numbering authorities (CNAs) to provide complete information when submitting vulnerability information to CVE.org. 

The agency says it’s initially taking each CVE through a Stakeholder-Specific Vulnerability Categorization (SSVC) scoring process. 

SSVC, developed by CISA in collaboration with Carnegie Mellon University’s Software Engineering Institute, provides a vulnerability analysis methodology that accounts for a vulnerability’s exploitation status, safety impact, and prevalence of the affected product.

In the next phase, further analysis is conducted for vulnerabilities that have a high-impact, are automatable, have PoC exploit code available, or are already being exploited in attacks.  

Advertisement. Scroll to continue reading.

CISA says the information added as part of the Vulnrichment project can help organizations prioritize remediation efforts and understand trends, and it can drive vendors to address entire classes of vulnerabilities.

The Vulnrichment project is hosted on GitHub and each enriched CVE entry is available in JSON format to allow organizations to easily incorporate the updates into their vulnerability management processes. 

CISA is often the first to issue public warnings about a vulnerability being exploited in the wild. The agency’s KEV catalog, which includes over 1,100 exploited flaw entries, has become an important resource for vulnerability management.

Related: Zoom Unveils Open Source Vulnerability Impact Scoring System

Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative

Related: CISA Releases Decision Tree Model to Help Companies Prioritize Vulnerability Patching

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: ROSI for CPS Security Programs
May 13, 2026

In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

Malwarebytes has named Chung Ip as Chief Financial Officer.

Semperis has appointed John Podboy as Chief Information Security Officer.

Randy Menon has become Chief Product and Marketing Officer at One Identity.

More People On The Move

Expert Insights

Popular Topics

Security Community

Stay Intouch

About SecurityWeek

News Tips

Got a confidential news tip? We want to hear from you.

Submit Tip

Advertising

Reach a large audience of enterprise cybersecurity professionals

Contact Us

Daily Briefing Newsletter

Subscribe to the SecurityWeek Daily Briefing and get the latest content delivered to your inbox.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.