CISA Kills Off RSS Feeds for KEVs and Cyber Alerts

On May 12, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) quietly retired one of its most automation-friendly distribution channels: RSS feeds. Routine updates to cybersecurity guidance and the Known Exploited Vulnerabilities (KEV) Catalog will no longer be delivered via RSS or listed on the agency’s Cybersecurity Alerts & Advisories webpage. Instead, CISA is shifting to a closed system of email notifications (via GovDelivery) and posts on social media platforms like X:

Starting May 12, CISA is changing how we announce cybersecurity updates and the release of new guidance. These announcements will only be shared through CISA social media platforms and email and will no longer be listed on our Cybersecurity Alerts & Advisories webpage.

The focus of our Cybersecurity Alerts & Advisories webpage will now be on urgent information tied to emerging threats or major cyber activity. CISA wants this critical information to get the attention it deserves and ensure it is easier to find. We’ll continue to communicate releases and updates to our stakeholders. To stay informed, subscribe to receive our email notifications on CISA.gov. You can also follow us on X @CISACyber for timely cybersecurity updates. 

Note: If you’ve previously used RSS feeds to track Known Exploited Vulnerabilities Catalog updates, please subscribe to the KEV subscription topic through GovDelivery to continue receiving notifications.

The stated goal is to ensure that the most urgent threats get top billing on CISA’s website, but in doing so, the agency has removed a simple, open format that many defenders and developers depended on. There is no replacement feed, and RSS is no longer mentioned or supported in any official documentation. For those who relied on structured, machine-readable updates, the change is a step backward.

A Hit to Automation and Interoperability#

RSS was more than a convenience. It allowed security teams to wire CISA alerts directly into dashboards, workflows, and alerting systems, without relying on proprietary platforms or parsing unstructured emails. Its removal disrupts a wide ecosystem of tools and custom scripts that were built around the predictability and openness of RSS.

This change potentially impacts a range of SIEM and threat monitoring tools and platforms that support RSS ingestion and may have relied on CISA’s feeds for automated updates. Community trackers like CISA KEV Tracker, which relied on automation to monitor CISA updates in near real time, may also be impacted, along with custom internal workflows that use RSS to build lightweight alerting without the overhead of vendor APIs.

Tools like Splunk, MISP (Malware Information Sharing Platform), and OpenCTI support RSS ingestion and some integrations may have used CISA’s feeds to automate the flow of external alerts and advisories into internal systems.

The loss of RSS as an official channel removes a straightforward integration path for users who did rely on it, increasing the friction and complexity of staying up to date.

Now, teams will need to rethink their integrations, assuming they can at all.

A Shift Toward Closed Channels#

The decision hasn’t caused major public outcry, but it hasn’t gone unnoticed either. Security professionals have voiced frustration, particularly on Mastodon, where some questioned why such a low-maintenance and developer-friendly format was eliminated in favor of email and social media.

Observers noted that RSS is both trivial to maintain and widely compatible with existing tooling, while email and social platforms introduce barriers to automation and increase operational overhead.

Others noted that an Atom feed of KEV commit history still exists on GitHub, but it’s no longer referenced in any official documentation and may not remain stable. In practice, email is now the only officially supported channel for receiving KEV updates.

This move follows a broader trend: government agencies adopting closed, individualized channels for communication. RSS offered something different: machine-readable, open, and accessible without sign-up forms or corporate gatekeepers. That simplicity made it ideal not just for enterprise integration, but for open source tools, academic research, and defenders operating without a commercial stack.

With RSS gone, those use cases become harder to support. And while the goal of elevating high-priority alerts is understandable, it’s worth asking what’s lost when routine but important guidance disappears from public view—or lands in an inbox spam folder.

Socket will continue to monitor how this change affects downstream tools and community projects that rely on public threat intelligence infrastructure.