Cisco Product Security Incident Response

Contents

Reporting a Suspected Security Vulnerability

Cisco’s Product Security Incident Response Team (PSIRT) is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability-related information, related to Cisco products and networks. The on-call PSIRT team works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks. Anyone who has a product security issue is strongly encouraged to contact PSIRT directly via one of the following methods:

Contacting PSIRT

Emergency phone support:

PSIRT Security Hotline: For immediate PSIRT assistance in an emergency situation, PSIRT can be contacted via a dedicated hotline 24 hours a day, 7 days a week by dialing: +1 877 228 7302 or +1 408 525 6532.

Emergency email: security-alert@cisco.com

This method will page the duty manager for PSIRT, who will respond within 2 hours. Should PSIRT fail to respond, please contact the PSIRT hotline number referenced above.

Non-Emergency email: psirt@cisco.com

This method will notify PSIRT via e-mail. Reports via e-mail will be acknowledged within 48 hours.

Both security-alert@cisco.com and psirt@cisco.com are for reporting sensitive data to a limited number of designated Cisco security subject matter experts. These lists are limited to Cisco employees authorized to manage security incidents. Cisco encourages the encryption of sensitive information sent to Cisco via E-mail. Cisco PSIRT supports encrypted messages via Pretty Good Privacy (PGP)/Gnu Privacy Guard (GPG). The PSIRT team public key (key id 0xCF14FEE0) is available on multiple public key servers.

Cisco Technical Assistance Center:

Alternatively, if you are under active security attack or have more general security concerns about your Cisco network you can contact the Cisco Technical Assistance Center at +1 408 526 7209, +1 800 553 2447, or by locating country specific contact information. The technical support agents will escalate to the proper PSIRT personnel to assist you.

Incident Response Eligibility

Customers with service contracts receive incident response assistance for any incident in which a Cisco product plays a significant role, regardless of whether there is an identified problem with a Cisco product.

All customers, regardless of contract status, may receive free-of-charge incident response assistance for any incident that involves a known or reasonably suspected security vulnerability in a Cisco product. Cisco reserves the right to determine the type and scope of assistance it can offer in connection with any incident and to withdraw from any incident investigation at any time. Cisco also may prioritize security incidents that involve actual or potential threats to persons, property, and the Internet, as well as requests from law enforcement agencies or established incident response organizations.

Non-Customers/Researchers, Other External Organizations:

Cisco welcomes reports from independent researchers, industry organizations, other vendors, and any other sources concerned with network or application security. The same procedures noted above for reporting product security concerns to Cisco should be used.

The Investigation Process

The Cisco PSIRT investigates all reports regardless of the Cisco software code version or product lifecycle status. Issues will be prioritized on the potential severity of the vulnerability and other environmental factors. The ultimate resolution of the reported incident may require upgrades to products that are under active support from Cisco.

Throughout the investigation process, the Cisco PSIRT strives to work collaboratively with the source of the report (“incident reporter”) in order to confirm the nature of the vulnerability, gather required technical information and ascertain appropriate remedial action. When the initial investigation is complete, results will be delivered to the incident reporter along with a plan for resolution and public disclosure. If the incident reporter disagrees with the conclusion, PSIRT will make every effort to address those concerns.

For incidents where agreement cannot be reached through the normal process, incident reporters may escalate by contacting Cisco’s Technical Assistance Center and requesting the director of the global PSIRT team.

During any investigation, the Cisco PSIRT manages all sensitive information on a highly confidential basis. Internal distribution is limited to those who have a legitimate need to know and can actively assist in the resolution. Similarly, the Cisco PSIRT will ask incident reporters to maintain strict confidentiality until complete resolutions are available for our customers and have been published by PSIRT on Cisco.com via appropriate coordinated disclosure.

For externally reported vulnerabilities, PSIRT may acknowledge the reporter of the information at their request, in the public disclosure of the vulnerability.

For vulnerabilities reported to Cisco that may impact multiple vendors (i.e. a generic protocol issue), our practice is to work with third-party coordination centers such as CERT/CC or NISCC to manage a coordinated industry disclosure. In those situations, the Cisco PSIRT will either assist the vulnerability reporter in contacting the coordination center, or may do so on their behalf.

For vulnerabilities reported to Cisco PSIRT involving another vendor’s product(s), the PSIRT will notify the vendor directly, coordinate with the reporter, or engage a third party coordination center.

PSIRT will coordinate with the reporter of an incident to determine incident and documentation update frequency and status.

Providing Software Patches and/or Workarounds

Upon the confirmation of a security vulnerability, the Cisco PSIRT will manage the creation of software patches and/or workarounds to address the vulnerability and subsequent public disclosure. Under the best of circumstances, Cisco will publish a security announcement when it has a complete set of software patches and workarounds available for customers. In unusual instances such as confirmed active exploitation of the vulnerability or new public information that could increase the risk to customers, Cisco will accelerate the publication of a security announcement for the vulnerability. Under these circumstances, accelerated publication may occur in the absence of a complete set of patches or workarounds available. When coordinating disclosure with outside parties, we will attempt to notify them of changes to the PSIRT public disclosure schedule.

Cisco delivers technical security information about software fixes in Cisco products and distributes product updates through several channels.

Cisco security vulnerabilities are disclosed to all customers and the public at the same time. Cisco reserves the right to deviate from this policy on an exception basis to ensure access to CCO (Cisco.com) for software patch availability.

Accessing Security Vulnerability Information

Cisco PSIRT provides the following types of publications for security vulnerability information.

Security Advisories

Security Advisories are published for significant security issues that directly involve Cisco products and require an upgrade, fix, or other customer action. Security Advisories are posted to Cisco.com and sent to the customer security announce list, as well as various public mailing lists and newsgroups (for example, full-disclosure and BugTraq).

Security Responses

Security Responses are published to address less severe problems affecting network security or for issues that require a response to information posted to a public discussion forum. They are normally published under one of two circumstances:

• If a third party (that is, outside of Cisco) makes a public statement about a vulnerability affecting a Cisco product which Cisco has previously addressed through our own standard disclosure process or, due to the nature of the issue, does not warrant the visibility of a Security Advisory. Cisco uses CVSS as part of its standard process of evaluating all reported potential vulnerabilities in its products.
• If a significant security vulnerability exists in another vendor's product which could affect a Cisco product due to interoperation with the vendor's product or usage of the network as a vector for exploitation.

Security Responses are posted to Cisco.com and sent to the customer security announce list only. Note: previously, these were referred to as Security Notices.

Cisco.com

Information about Cisco Security Functions, including services and products relevant to security, is available at our Web site: http://www.cisco.com/security/.

Email

In addition to the posting on Cisco.com, Product Security Advisories and Responses are sent by email to cust-security-announce@cisco.com. Anyone may subscribe to this email list using the procedures described in the Subscribing to the Customer Security Announce Mailing List section of this document.

RSS Feeds

Security Advisories and Responses are available via RSS feeds on Cisco.com. These feeds are free and do not require any active Cisco.com registration. Information for subscribing to RSS feeds is found at:

http://www.cisco.com/en/US/products/products_psirt_rss_feed.html

Security Software Updates

Cisco customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels, generally via the Cisco web site. If you are such a contract customer, please use this resource. Contact the Cisco Technical Assistance Center (TAC) only if you have specific or imminent problems or questions.

As a special customer service, and to improve the overall security of the Internet, Cisco may offer free of charge to customers software updates to address security problems. If Cisco has offered a free software update to address a specific issue, non-contract customers who are eligible for the update may obtain it by contacting the Cisco TAC by any of the means described in the Contact Summary section of this document. In order to enable the TAC to verify your entitlement, please have the URL of the Cisco document offering the upgrade available when you call the TAC.

All aspects of this process are subject to change without notice and on a case-by-case basis. No particular level of response is guaranteed for any specific issue or class of issues.

Reporting Security Incidents

If you are under active security attack or believe that you are about to be attacked, contact the Cisco Technical Assistance Center at +1 408 526 7209 or +1 800 553 2447 or by any of the means listed under "Contact Summary" in this document. The TAC dispatch agents will contact the appropriate PSIRT personnel to assist you.

If you have such an incident in progress, need emergency assistance, and do not wish to go through the TAC, you may also contact the PSIRT directly at security-alert@cisco.com or via telephone at +1 877 228 7302 or +1 408 525 6532.  These emergency PSIRT contact addresses and telephone numbers should only be used for active security incidents and urgent reports of security bugs in Cisco products.

Please do not use these PSIRT addresses/numbers for security configuration "how-to" questions, for clarifications about security field notices, software update requests, or non-security-related issues.  Such requests should be addressed to the TAC, which provides the fastest possible response, 24 hours a day, 365 days a year. Other technical incident response help ("How can I configure an access list to block this?") is also provided by regular TAC support personnel.

The Cisco PSIRT provides assistance involving highly confidential incidents, forensics, law enforcement, tracking or tracing attack sources, exploitation of unannounced Cisco product security defects, non-Cisco products, or very specialized security skills. If you need to contact the PSIRT directly but do not need emergency help, use "psirt@cisco.com" instead of "security-alert@cisco.com."

Incident Confidentiality

All TAC calls are treated confidentially. For especially sensitive incidents, special confidentiality measures can be taken to reduce the probability of inadvertent disclosure. If you seek elevated confidentiality, please inform the person who answers the telephone that your case is sensitive and ask that it not be recorded in the Cisco case tracking database. Your case will then be dispatched directly to members of the PSIRT, and will be handled on a "need to know" basis within Cisco.

Cisco Systems' Role in Customer Incidents

Cisco plays a supporting role in customer security incidents, offering technical support and expertise. Incident decision-making remains with the customer.

Incident Response Eligibility

Customers with service contracts receive incident response assistance for any incident in which a Cisco product plays a significant role, regardless of whether there is an identified problem with a Cisco product.

All customers, regardless of contract status, receive, free of charge, incident response assistance similar to that offered to contract customers for any incident that involves a known or reasonably suspected security vulnerability in a Cisco product.

Subscribing to the Customer Security Announce Mailing List

The cust-security-announce@cisco.com mailing list is an external list that allows anyone interested to subscribe and receive Cisco security announcements.

To subscribe to "cust-security-announce@cisco.com," send an e-mail message to "cust-security-announce-join@cisco.com" (the content of the message does not matter). You will receive confirmation instructions and a list policy statement.

Please remember:

• The request must go to "cust-security-announce-join@cisco.com," not to the cust-security-announce list itself.
• You must send the message from the account that will be subscribed to the list. We do not accept subscriptions for one account that are sent from a second account.

Because many Cisco customers want to see only announcement messages from Cisco, only certain Cisco employees are authorized to send messages to cust-security-announce@cisco.com.

Individuals that wish to subscribe to this alias may also send email to psirt@cisco.com to request access to this list.

There is a separate discussion list, called "cust-security-discuss@cisco.com," that permits security-related discussions between Cisco customers.  You can subscribe to "cust-security-discuss@cisco.com" in the same way that you would subscribe to "cust-security-announce@cisco.com." Only subscribers are permitted to send messages to "cust-security-discuss@cisco.com."

PSIRT Process Flow

The following illustration shows the PSIRT process at a high level. This illustration is designed to give a general overview of the lifecycle of a vulnerability and how it moves through the resolution process.

Contact Summary

Cisco Technical Assistance Center (TAC): security product configuration assistance, purely technical assistance with security matters, software upgrades for security bug fixes, non-sensitive security incidents:

• +1 800 553 2447 (toll-free from within North America)
• +1 408 526 7209 (toll call from anywhere in the world)
• Additional TAC numbers: Customer Service Contacts
• E-mail (not for emergencies): tac@cisco.com

Cisco Product Security Incident Response Team (PSIRT): highly confidential security matters, active system intrusion incidents, exploitation of unannounced security bugs, security incidents with special technical requirements, law enforcement, and IRT contacts:

• For emergency telephone support from the PSIRT, use the TAC numbers above.
• For emergency e-mail, use security-alert@cisco.com
• For non-emergency e-mail, use psirt@cisco.com
• For direct emergency telephone contact with the PSIRT, call +1 877 228 7302 or +1 408 525 6532. However, you should use the TAC numbers unless you have a particular need to bypass the TAC dispatch process.
• PGP keys for the PSIRT are on the public servers.

Press contacts for security notices:

• Kevin Petschow, kpetscho@cisco.com, +1 408 527-4743
• Contacts listed in each notice
• Additional PR contacts: News @ Cisco

The information on this webpage is provided on an "as is" basis and does not imply any kind of guarantee or warranty of any kind. Your use of the information on this webpage or materials linked from this webpage is at your own risk. Cisco reserves the right to change or update this webpage without notice at anytime.