Vendor Vulnerability Reporting and Disclosure Policy

 

Purpose

This policy sets forth the reporting and disclosure process that Cisco Systems, Inc. and its subsidiaries (collectively, “Cisco”) follow when we discover security vulnerabilities in non-Cisco products and services.

Policy

This policy must clearly state the timeline, actions, and responsibilities equally available to all non-Cisco vendors.

Vendor Vulnerability Reporting and Disclosure

If a vulnerability is found in a vendor’s product or service, Cisco will attempt to contact the vendor by email to notify the vendor of such discovery. Cisco will initially attempt to create a secure communication channel with the vendor by exchanging PGP keys for encrypted email. If a secure communication channel is successfully created, then an encrypted copy of the vulnerability report will be sent to the vendor through that channel. If no response to the attempt to create a secure communication channel is received by Cisco within seven (7) days, then a description of the vulnerability will be sent by email to the vendor in plain text.

Our approach to vulnerability disclosure is based on industry standards and the Carnegie Mellon University Computer Emergency Response Team (CERT) vulnerability policy. For additional information, see the CERT disclosure guidelines.

If Cisco discovers a vulnerability in a vendor’s product or service, it will take the following steps:

	Actions to be Taken by Cisco
Day 0	Initial vendor contact Protections released to Cisco customers for Cisco security products Cisco may also use this vulnerability information prior to publication to enhance certain Cisco security products Assignment of CVE (Common Vulnerabilities and Exposures) if vendor is not a CNA (CVE Numbering Authority) Vendor name and report date listed on Cisco Talos vulnerability tracker website
Day 7	Second vendor contact if there is no response to Cisco’s initial communication
Day 45	Reminder email sent to the vendor with the release date of the vulnerability report
Day 60	If the vendor has not responded or has stopped responding, a final reminder email will be sent
Day 90	Disclosure of the full vulnerability report on the Cisco Talos vulnerability tracker website; however, if the vendor releases a patch or mitigation for the vulnerability before the 90th day, then Cisco will disclose the full vulnerability report immediately following vendor’s release of such patch or mitigation CVE publication request submitted to MITRE

 

In the interest of fostering coordinated vulnerability disclosure, Cisco will attempt to work with any vendor on reasonable adjustments to the above timeline if progress is being made and the 90-day default timeline is not adequate for creating a patch or other type of mitigation that addresses the vulnerability. Extenuating circumstances may result in adjustments to the disclosures and timelines when reasonably necessary.

Contact Information

 

 

Definitions

For purposes of this policy, the following definitions apply:

Term	Definition
CERT	Carnegie Mellon University Computer Emergency Response Team
CNA	CVE Numbering Authority
CVE	Common Vulnerabilities and Exposures
MITRE	Manages the CVE database
PGP	Pretty Good Privacy encryption software

 

---

Last Updated: Apr 20, 2022

This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.

Internal Reference Policy: Vendor Vulnerability Reporting and Disclosure Policy, EDCS-19537550

Owning Function: Cisco Talos

---

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.