Products & Services

The Cisco Product Security Incident Response Team (PSIRT) is responsible for responding to Cisco product security incidents. The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24 hours with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.

Individuals or organizations that are experiencing a product security issue are strongly encouraged to contact the Cisco PSIRT. Cisco welcomes reports from independent researchers, industry organizations, vendors, customers, and other sources concerned with product or network security. Please contact the Cisco PSIRT using one of the following methods.

Cisco encourages the encryption of sensitive information that is sent to Cisco in e-mail messages. The Cisco PSIRT supports encrypted messages via PGP/GNU Privacy Guard (GPG). The Cisco PSIRT team public key (key ID 0x7FC16D3A) is available on multiple public key servers.

For general security concerns about Cisco products, the Cisco Technical Assistance Center (TAC) can provide configuration assistance and technical assistance with security matters. The TAC can also help with nonsensitive security incidents and software upgrades for security bug fixes. Use the following information to contact the Cisco TAC.

There are several ways to stay connected and receive the latest security vulnerability information from Cisco. Review the following table, and subsequent summaries, to determine the appropriate option.

Cisco.com

E-mail

RSS Feeds

Cisco Notification Service

The following table shows the Cisco press contacts for Cisco security vulnerability information.

The following graphic illustrates the Cisco PSIRT process at a high level and provides an overview of the vulnerability lifecycle, disclosure, and resolution process.

The Cisco PSIRT investigates all reports regardless of the Cisco software code version or product lifecycle status. Issues will be prioritized based on the potential severity of the vulnerability and other environmental factors. Ultimately, the resolution of a reported incident may require upgrades to products that are under active support from Cisco.

Throughout the investigative process, the Cisco PSIRT strives to work collaboratively with the source of the report (incident reporter) to confirm the nature of the vulnerability, gather required technical information, and ascertain appropriate remedial action. When the initial investigation is complete, results will be delivered to the incident reporter along with a plan for resolution and public disclosure. If the incident reporter disagrees with the conclusion, the Cisco PSIRT will make every effort to address those concerns.

In the case of incidents whereby an agreement cannot be reached through the normal process, incident reporters may escalate by contacting the Cisco Technical Assistance Center and requesting the director of the global Cisco PSIRT team.

During any investigation, the Cisco PSIRT manages all sensitive information on a highly confidential basis. Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution. Similarly, the Cisco PSIRT asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by the Cisco PSIRT on the Cisco website through the appropriate coordinated disclosure.

With the agreement of the incident reporter, the Cisco PSIRT may acknowledge the reporters contribution during the public disclosure of the vulnerability.

Cisco PSIRT works with third-party coordination centers such as CERT/CC, CERT-FI, JP-CERT, or CPNI to manage a coordinated industry disclosure for vulnerabilities reported to Cisco that may impact multiple vendors (for example, a generic protocol issue). In those situations, the Cisco PSIRT either will assist the incident reporter in contacting the coordination center, or may do so on that individual's behalf.

If a reported vulnerability involves a vendor product, the Cisco PSIRT will notify the vendor directly, coordinate with the incident reporter, or engage a third-party coordination center.

The Cisco PSIRT will coordinate with the incident reporter to determine the frequency of status updates of the incident and documentation updates.

Cisco uses version 2.0 of the Common Vulnerability Scoring System (CVSS) as part of its standard process of evaluating reported potential vulnerabilities in Cisco products and determining which vulnerabilities warrant a Cisco Security Advisory or other type of publication. Cisco also uses CVSS to convey vulnerability severity. The CVSS model uses three distinct measurements or scores that include base, temporal, and environmental calculations. Cisco provides an evaluation of the base and temporal vulnerability scores, and end users are encouraged to compute the environmental score based on their network parameters. The combination of all three scores should be considered the final score, which represents a moment in time and is tailored to a specific environment. Organizations are advised to use this final score to prioritize responses in their own environments.

Cisco uses the following CVSS guidelines when determining which security publication will include a particular vulnerability:

• Cisco Security Advisory — CVSS Base Score of 7.0 – 10.0
• Cisco Security Notice — CVSS Base Score of 4.0 – 6.9
• Release Note Enclosure — CVSS Base Score of 0.1 – 3.9

Cisco reserves the right to deviate from this on an exception basis in the event that there are additional factors not properly captured in the CVSS score.

If there is a security issue with a third-party software component that is used in a Cisco product, Cisco will typically use the CVSS score provided by the component creator. In some cases, Cisco may adjust the CVSS score to reflect the impact to the Cisco product.

For more information about CVSS, visit the FIRST.org web site.

In all security publications, Cisco discloses the minimum amount of information required for an end user to assess the impact of a vulnerability and any potential steps needed to protect their environment. Cisco does not provide vulnerability details that could enable someone to craft an exploit.

Cisco provides the following types of security-related publications via the Security Intelligence Operations portal on Cisco.com.

• Cisco Security Advisories
  Cisco Security Advisories provide detailed information about significant security issues that directly involve Cisco products and require an upgrade, fix, or other customer action.
  
  Cisco Security Advisories include an option to download Common Vulnerability Reporting Framework (CVRF) content, and Cisco Security Advisories for Cisco IOS Software will include an option to download Open Vulnerability and Assessment Language (OVAL) definitions. CVRF and OVAL are industry standards designed to depict vulnerability information in machine-readable format (XML files). This machine-readable content can be used with other tools to automate the process of interpreting data contained in a Security Advisory. CVRF and OVAL content can be downloaded directly from each Security Advisory. For more information about CVRF and OVAL, see the preceding links.
  

• Cisco Security Notices
  Cisco Security Notices document low- and medium-severity security issues that directly involve Cisco products but do not warrant the visibility of a Cisco Security Advisory.
  
  Cisco Security Notices are organized by Common Vulnerabilities and Exposures (CVE) Identifier to facilitate correlation of security issues across Cisco products.
  

• Cisco Security Responses
  Cisco Security Responses address issues that require a response to information discussed in a public forum, such as a blog or discussion list. The responses are normally published if a third party makes a public statement about a Cisco product vulnerability.
  

• Cisco Event Responses
  Cisco Event Responses provide information about security events that have the potential for widespread impact on customer networks, applications, and devices. Cisco Event Responses contain summary information, threat analysis, and mitigation techniques that feature Cisco products. They are normally published under the following circumstances:

  • If a significant security vulnerability exists in a vendor's product that could affect a Cisco product due to interoperation with the vendor's product or use of the network as a vector for exploitation
  • In response to the release of Cisco IOS Software bundled publications

• Cisco Applied Mitigation Bulletins
  Cisco Applied Mitigation Bulletins describe techniques that use Cisco product abilities to detect and mitigate exploits. They are normally published when Cisco products may be used to mitigate known vulnerabilities.

• Threat Outbreak Alerts
  Cisco Threat Outbreak Alerts cover the latest data regarding malicious e-mail and web-based threats, including spam, phishing, viruses, malware, and botnet activity. These alerts do not relate to Cisco products but are provided for the benefit of Cisco customers and others.

• Release Note Enclosures
  All Cisco bug IDs that are disclosed by Cisco are available for registered customers to view in the Cisco Bug Toolkit.

If a Cisco Security Advisory or Cisco Security Notice references a bug, the bug entry in the Cisco Bug Toolkit will link to the relevant Cisco Security Advisory or Notice.

Any Cisco bug that has been evaluated by the Cisco PSIRT will include a "PSIRT Evaluation" section in its Release Note Enclosure. This new section will include, where Cisco deems appropriate and relevant, base and temporal CVSS scores and a CVE ID. Customers are invited to use this additional information at their discretion and correlate Cisco bugs with industry events. This information is not intended to supplement any standard Cisco warranties applicable to the software as stated in the Cisco End User License Agreement, which is available at the following URL: http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

Free software updates will not be provided for issues that are disclosed through a Release Note Enclosure. Customers who wish to upgrade to a software version that includes fixes for those issues should contact their normal support channels. Any exception to this policy will be determined solely at the discretion of Cisco.

The following table summarizes the methods used to notify customers about the aforementioned security publications. Exceptions may be made on a case-by-case basis to increase communication for a given document.

If one or more of the following conditions exist, Cisco will publicly disclose Cisco Security Advisories:

• The Cisco PSIRT has completed the incident response process and determined that enough software patches or workarounds exist to address the vulnerability, or subsequent public disclosure of code fixes is planned to address high-severity vulnerabilities.
  

• The Cisco PSIRT has observed active exploitation of a vulnerability that could lead to increased risk for Cisco customers. For this condition, Cisco will accelerate the publication of a security announcement describing the vulnerability that may or may not include a complete set of patches or workarounds.
  

• There is the potential for increased public awareness of a vulnerability affecting Cisco products that could lead to increased risk for Cisco customers. For this condition, Cisco will accelerate the publication of a security announcement describing the vulnerability that may or may not include a complete set of patches or workarounds.
  

All Cisco security publications are disclosed to customers and the public simultaneously. Cisco reserves the right to deviate from this policy on an exception basis to ensure access to Cisco.com for software patch availability.

When coordinating disclosure with third parties, the Cisco PSIRT will attempt to provide notification of any changes to the Cisco PSIRT public disclosure schedule.

As documented in the "Receiving Security Vulnerability Information from Cisco" section of this document, Cisco delivers technical security information about software fixes in Cisco products and distributes product updates through several channels.

Cisco IOS Software

All Other Products

Exceptions

Customers with service contracts receive incident response assistance for any incident in which a Cisco product plays a significant role, regardless of whether there is an identified problem with a Cisco product.

All customers, regardless of contract status, receive free incident response assistance, similar to that offered to contract customers, for any incident that involves known or reasonably suspected security vulnerability in a Cisco product.

Cisco reserves the right to determine the type and degree of assistance it may offer in connection with any incident and to withdraw from any incident at any time. Cisco may offer customers incident response services free of charge. Cisco may give special consideration to security incidents that involve actual or potential threats to persons, property, or the Internet as well as requests from law enforcement agencies or formal incident response teams.

Cisco customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels, generally from the Cisco website. Cisco recommends contacting the TAC only with specific and imminent problems or questions.

As a special customer service, and to improve the overall security of the Internet, Cisco may offer customers free software updates to address high-severity security problems. The decision to provide free software updates is made on a case-by-case basis. Refer to the Cisco security publication for details. Free software updates will typically be limited to Cisco Security Advisories.

If Cisco has offered a free software update to address a specific issue, noncontract customers who are eligible for the update may obtain it by contacting the Cisco TAC using any of the means described in the "General Security-Related Queries" section of this document. To verify their entitlement, individuals who contact the TAC should have available the URL of the Cisco document that is offering the update.

All aspects of this process are subject to change without notice and on a case-by-case basis. No particular level of response is guaranteed for any specific issue or class of issues.