Closed patrickmgarrity closed 1 month ago
Short answer: The primary source is the CVE List. So a change to a CVE Record triggers vulnrichment reassessment, which may or may not lead to changes to vulnriched data. Note that KEV has a separate process and does monitor sources other than the CVE List. SSVC also includes a separate process that includes other sources. Changes from both of these processes feed into the vulnrichment process.
Thanks for the insight!
For the CISA Coordinator options. For "Exploitation" can you clarify:
Only a subset of exploitation / POCs are confirmed around the time of CVE disclosure which is why I'm curious.