This document defines policy regarding the coordinated reporting and disclosure of vulnerabilities in non-Cisco products and services by Cisco Systems, Inc. employees. In the event that vulnerabilities are found in a vendor's product or service, Cisco will attempt to contact the vendor through email or phone to notify the vendor of such a discovery. On first contact, an attempt will be made to create a secure communication channel by exchanging PGP keys for encrypted email. If a secure communications channel is achieved, then an encrypted copy of the vulnerability report will be sent to the vendor. If no response to the attempt to create a secure communications channel is received within seven days, a plaintext description of the vulnerability will be supplied to the vendor. Fifteen days after the vulnerability report is delivered to the vendor, the report will also be supplied to the Carnegie Mellon Computer Emergency Response Team (CERT). In compliance with the CERT vulnerability disclosure guidelines, the vendor will have approximately forty-five days before public disclosure of the vulnerability information.
In the interest of coordinated vulnerability disclosure, Cisco will attempt to work with any vendor on reasonable adjustments to the timeline if progress is being made and the default timeline is not adequate for creating a patch. Extenuating circumstances, such as threats of any nature, may result in adjustments to disclosures and timelines.
See the CERT disclosure guidelines for additional information.
Last Updated: 2015 May 22
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.