Add `known-exploited` or similar as a container tag

[david-waltermire]

Based on the work at CISA on the known exploited vulnerabilities catalog, it might be useful to include a tag in the CVE record CNA and ADP containers to indicate that there is evidence that a given vulnerability has been exploited.

[chandanbn]

Ensure we have a clear /crisp definition. Eg., existence of PoC need not imply exploited.

[zmanion]

Why not just search for the CVE ID in KEV (or your "exploited" list of choice)? I.e., why reproduce and maintain that flag with the CVE record? This gets into the discussion of how much to include within CVE records/JSON.

Exploitedness can be recorded in CVSS temporal or SSVC, so we'd have another place, within a CVE record, to maintain copies of the same knowledge. Maybe exploitedness belongs in metrics, whether in CNA or ADP containers?

[zmanion]

Revising my previous comment, CISA KEV has three requirements: Evidence of active exploitation (carefully determined by CISA), a CVE ID, and a meaningful mitigation (like a fix). For CVE, a "known-exploited" tag might only require the first two criteria, and we'd need to give some attention to what constitutes "suficient evidence" which can be tricky.

We have an "exploit" reference tag, maybe "known-exploited" could also be a referrence tag, thus requiring a reference, which is at least some evidence.

Also, as of May 2024, CISA KEV is being recorded in the CISA ADP container, so is an SSVC:Exploitation value.

[jayjacobs]

For all of the points Art raised, I would recommend NOT including this field.
Not because the field isn't useful or important or anything like that, but allowing CNAs to claim "known exploited" without any description of how they know and their methodology, when they observed this, updates on if they still see exploitation activity, or any of the other details that would make this useful is just asking for a collection of mediocre, noisy and untrustworthy data.
We should allow other efforts focused on tracking this (like CISA KEV) to do what they do, and then then solicit them as an ADP to bring their expertise to the CVE data.

[ccoffin]

Discussed in 12/12/2024 QWG. Would not be useful to have a generic known-exploited tag. We could add a tag for the fact that the CVE Record exists on the KEV, but this is essentially duplicating what exists in another database. However, if someone is using cve.org CVE entry as their source of truth, maybe it makes sense to note that the CVE Record exists on the KEV. Also, CISA ADP currently adds entry to metric/other for KEV CVEs. Closing this for now until we have data consumers asking for KEV to be part of the CVE Record Format outside of what is already provided today by CISA ADP.