Vendor Vulnerability Reporting and Disclosure Policy


Vendor Vulnerability Reporting and Disclosure Policy



This policy sets forth the reporting and disclosure process that Cisco Systems, Inc. and its subsidiaries (collectively, “Cisco”) follow when we discover security vulnerabilities in non-Cisco products and services.


This policy must clearly state the timeline, actions, and responsibilities equally available to all non-Cisco vendors.

Vendor Vulnerability Reporting and Disclosure

If a vulnerability is found in a vendor’s product or service, Cisco will attempt to contact the vendor by email to notify the vendor of such discovery. Cisco will initially attempt to create a secure communication channel with the vendor by exchanging PGP keys for encrypted email. If a secure communication channel is successfully created, then an encrypted copy of the vulnerability report will be sent to the vendor through that channel. If no response to the attempt to create a secure communication channel is received by Cisco within seven (7) days, then a description of the vulnerability will be sent by email to the vendor in plain text.

Our approach to vulnerability disclosure is based on industry standards and the Carnegie Mellon University Computer Emergency Response Team (CERT) vulnerability policy. For additional information, see the CERT disclosure guidelines.

If Cisco discovers a vulnerability in a vendor’s product or service, it will take the following steps:

  Actions to be Taken by Cisco
 Day 0 
  • Initial vendor contact
  • Protections released to Cisco customers for Cisco security products
  • Cisco may also use this vulnerability information prior to publication to enhance certain Cisco security products
  • Assignment of CVE (Common Vulnerabilities and Exposures) if vendor is not a CNA (CVE Numbering Authority)
  • Vendor name and report date listed on Cisco Talos vulnerability tracker website
 Day 7 
  • Second vendor contact if there is no response to Cisco’s initial communication
 Day 45 
  • Reminder email sent to the vendor with the release date of the vulnerability report
 Day 60 
  • If the vendor has not responded or has stopped responding, a final reminder email will be sent
 Day 90 
  • Disclosure of the full vulnerability report on the Cisco Talos vulnerability tracker website; however, if the vendor releases a patch or mitigation for the vulnerability before the 90th day, then Cisco will disclose the full vulnerability report immediately following vendor’s release of such patch or mitigation
  • CVE publication request submitted to MITRE


In the interest of fostering coordinated vulnerability disclosure, Cisco will attempt to work with any vendor on reasonable adjustments to the above timeline if progress is being made and the 90-day default timeline is not adequate for creating a patch or other type of mitigation that addresses the vulnerability. Extenuating circumstances may result in adjustments to the disclosures and timelines when reasonably necessary.

Contact Information




For purposes of this policy, the following definitions apply:

Term Definition
CERT Carnegie Mellon University Computer Emergency Response Team
CNA CVE Numbering Authority
CVE Common Vulnerabilities and Exposures
MITRE Manages the CVE database
PGP Pretty Good Privacy encryption software


Last Updated: Apr 20, 2022

This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.

Internal Reference Policy: Vendor Vulnerability Reporting and Disclosure Policy, EDCS-19537550

Owning Function: Cisco Talos

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.