Guest

Vendor Vulnerability Reporting and Disclosure Policy

This document defines policy regarding the coordinated reporting and disclosure of vulnerabilities in non-Cisco products and services by Cisco Systems, Inc. employees. In the event that vulnerabilities are found in a vendor's product or service, Cisco will attempt to contact the vendor through email or phone to notify the vendor of such a discovery. On first contact, an attempt will be made to create a secure communication channel by exchanging PGP keys for encrypted email. If a secure communications channel is achieved, then an encrypted copy of the vulnerability report will be sent to the vendor. If no response to the attempt to create a secure communications channel is received within seven days, a plaintext description of the vulnerability will be supplied to the vendor. Fifteen days after the vulnerability report is delivered to the vendor, the report will also be supplied to the Carnegie Mellon Computer Emergency Response Team (CERT). In compliance with the CERT vulnerability disclosure guidelines, the vendor will have approximately forty-five days before public disclosure of the vulnerability information.



Disclosure Timeline

Day 0

  • Initial vendor contact
  • Protections released to customers utilizing Cisco security products

Day 7

  • Second vendor contact if no response is received

Day 15

  • Vulnerability report forwarded to CERT
  • Publish vendor notification date on Cisco vulnerability tracker website

Day 60

  • Vulnerability is disclosed by CERT per their coordination guidelines
  • Publish full disclosure vulnerability report on the Talos vulnerability tracker after a patch or mitigation is released or the time limit expires




In the interest of coordinated vulnerability disclosure, Cisco will attempt to work with any vendor on reasonable adjustments to the timeline if progress is being made and the default timeline is not adequate for creating a patch. Extenuating circumstances, such as threats of any nature, may result in adjustments to disclosures and timelines.

See the CERT disclosure guidelines for additional information.

Contact Information

  • Email address: vulndev@cisco.com
  • PGP key: The Cisco vendor vulnerability public keyleavingcisco.com (key ID 0x0B3BB3A7) is available on multiple public key servers.



Last Updated: 2015 May 22

This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.



This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.


Back to Top

Cisco Security portal