This policy sets forth the reporting and disclosure process that Cisco Systems, Inc. and its subsidiaries (collectively, “Cisco”) follow when we discover security vulnerabilities in non-Cisco products and services.
This policy must clearly state the timeline, actions, and responsibilities equally available to all non-Cisco vendors.
If a vulnerability is found in a vendor’s product or service, Cisco will attempt to contact the vendor by email to notify the vendor of such discovery. Cisco will initially attempt to create a secure communication channel with the vendor by exchanging PGP keys for encrypted email. If a secure communication channel is successfully created, then an encrypted copy of the vulnerability report will be sent to the vendor through that channel. If no response to the attempt to create a secure communication channel is received by Cisco within seven (7) days, then a description of the vulnerability will be sent by email to the vendor in plain text.
Our approach to vulnerability disclosure is based on industry standards and the Carnegie Mellon University Computer Emergency Response Team (CERT) vulnerability policy. For additional information, see the CERT disclosure guidelines.
If Cisco discovers a vulnerability in a vendor’s product or service, it will take the following steps:
Actions to be Taken by Cisco | |
---|---|
Day 0 |
|
Day 7 |
|
Day 45 |
|
Day 60 |
|
Day 90 |
|
In the interest of fostering coordinated vulnerability disclosure, Cisco will attempt to work with any vendor on reasonable adjustments to the above timeline if progress is being made and the 90-day default timeline is not adequate for creating a patch or other type of mitigation that addresses the vulnerability. Extenuating circumstances may result in adjustments to the disclosures and timelines when reasonably necessary.
For purposes of this policy, the following definitions apply:
Last Updated: Apr 20, 2022
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.
Internal Reference Policy: Vendor Vulnerability Reporting and Disclosure Policy, EDCS-19537550
Owning Function: Cisco Talos
© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.