Security Vulnerability Policy
If you are experiencing a security vulnerability emergency, please view the Reporting or Obtaining Support for a Suspected Security Vulnerability section of this document.
Cisco Product Security Incident Response
Cisco product security incident response is the responsibility of the Cisco Product Security Incident Response Team (PSIRT). The Cisco PSIRT is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information that is related to Cisco products and networks. The on-call Cisco PSIRT works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks.
Reporting or Obtaining Support for a Suspected Security Vulnerability
Individuals or organizations that are experiencing a product security issue are strongly encouraged to contact the Cisco PSIRT. Cisco welcomes reports from independent researchers, industry organizations, other vendors, customers, and any other sources concerned with product or network security. Please contact the Cisco PSIRT directly using one of the following methods:
Cisco encourages the encryption of sensitive information that is sent to Cisco in e-mail messages. The Cisco PSIRT supports encrypted messages via PGP/GNU Privacy Guard (GPG). The Cisco PSIRT team public key (key ID 0xCF14FEE0) is available on multiple public key servers.
General Security-Related Queries
For general security concerns about Cisco networks, the Cisco Technical Assistance Center (TAC) can provide configuration assistance and technical assistance with security matters. The TAC can also help with non sensitive security incidents and software upgrades for security bug fixes. Contact the Cisco TAC using the following information:
Receiving Security Vulnerability Information from Cisco
There a several ways to stay connected and be informed about the latest security vulnerability information from Cisco. The following table shows the key options and links (with summaries of each option below):
Cisco security vulnerability documents and Cisco security functions information, including services and products that are relevant to security, are available on the Security Intelligence Operations portal.
Cisco Security Advisories are clear signed with the Cisco PSIRT PGP key and posted to the following e-mail and Usenet news recipients:
Only initial and major revisions to a Cisco Security Advisory are posted via e-mail. If a document undergoes a minor revision, the update will be posted to Cisco.com without an accompanying e-mail message. Customers who require automated minor update alerts should subscribe to the Cisco Security Advisory Really Simple Syndication (RSS) feed or Cisco Notification Service. All security advisories on Cisco.com are displayed in chronological order, with the most recently updated advisory appearing at the top of the page.
Cisco Security Responses are posted to Cisco.com and sent only to the firstname.lastname@example.org e-mail alias.
This mailing list is an external list that allows any interested party to subscribe and receive Cisco security announcements.
To subscribe to this mailing list, send an e-mail message to email@example.com. (The content of the message does not matter.) You will receive confirmation, instructions, and a list policy statement.
Please note that requests must be sent to firstname.lastname@example.org and not to the email@example.com list itself.
Individuals must send messages from the account that will be subscribed to the list. We do not accept subscriptions for one account that are sent from a second account.
Individuals who wish to subscribe to this mailing list may also send an e-mail message to firstname.lastname@example.org requesting access.
Cisco security vulnerability information is also available via Really Simple Syndication (RSS) feeds from the Cisco website. These feeds are free and do not require an active Cisco.com registration. Information on subscribing to RSS feeds is available here.
Cisco Notification Service
Cisco Notification Service allows users to subscribe and receive important Cisco product and technology information. Specifically, this service provides users with an improved unified subscription experience and the ability to choose the timing of notifications, as well as the notification delivery method (e-mail message or RSS feed). The level of access will be determined by the subscriber's relationship with Cisco.
Procedure for Creating a Notification
1: Log in to the Cisco Notification Service website on Cisco.com using your registered Cisco.com account name and password.
2: Click the Add Notification button and follow the subsequent instructions.
Short Message Service Text Messaging
Customers can stay current with a variety of Cisco publications, including Cisco Security Advisories, Applied Mitigation Bulletins, Event Responses, and Threat Outbreak Alerts, by receiving a short message service (SMS) text message when new content is posted. Users can register for Cisco text messages on Cisco.com.
Consult this link for a list of frequently asked questions regarding SMS text messaging.
Public Relations or Press Queries Regarding Cisco Security Vulnerability Information
Press contacts at Cisco for security vulnerability information are
Cisco Product Security Incident Response Process
The following illustration displays the Cisco PSIRT process at a high level and provides an overview of the vulnerability lifecycle, disclosure, and resolution process:
The Cisco PSIRT investigates all reports regardless of the Cisco software code version or product lifecycle status. Issues will be prioritized on the potential severity of the vulnerability and other environmental factors. The ultimate resolution of a reported incident may require upgrades to products that are under active support from Cisco.
Throughout the investigation process, the Cisco PSIRT strives to work collaboratively with the source of the report (incident reporter) to confirm the nature of the vulnerability, gather required technical information, and ascertain appropriate remedial action. When the initial investigation is complete, results will be delivered to the incident reporter along with a plan for resolution and public disclosure. If the incident reporter disagrees with the conclusion, the Cisco PSIRT will make every effort to address those concerns.
In the case of incidents in which agreement cannot be reached through the normal process, incident reporters may escalate by contacting the Cisco Technical Assistance Center and requesting the director of the global Cisco PSIRT team.
During any investigation, the Cisco PSIRT manages all sensitive information on a highly confidential basis. Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution. Similarly, the Cisco PSIRT asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by the Cisco PSIRT on the Cisco website through the appropriate coordinated disclosure.
With the agreement of the incident reporter, the Cisco PSIRT may acknowledge the reporters contribution during the public disclosure of the vulnerability.
It is the practice of Cisco PSIRT to work with third-party coordination centers such as CERT/CC, CERT-FI, JP-CERT, or CPNI to manage a coordinated industry disclosure for vulnerabilities reported to Cisco that may impact multiple vendors (for example, a generic protocol issue). In those situations, the Cisco PSIRT will either assist the incident reporter in contacting the coordination center, or may do so on that individual's behalf.
In situations where vulnerabilities that involve another vendor's product(s) are reported to the Cisco PSIRT, the team will notify the vendor directly, coordinate with the incident reporter, or engage a third-party coordination center.
The Cisco PSIRT will coordinate with the incident reporter to determine the frequency of status updates of the incident and documentation updates.
Cisco will publicly disclose security vulnerability information under one or more of the following conditions:
Cisco security vulnerabilities are disclosed to customers and the public simultaneously. Cisco reserves the right to deviate from this policy on an exception basis to ensure access to Cisco.com for software patch availability.
When coordinating disclosure with third parties, the Cisco PSIRT will attempt to provide notification of any changes to the Cisco PSIRT public disclosure schedule.
As documented in the Receiving Security Vulnerability Information from Cisco section of this document, Cisco delivers technical security information about software fixes in Cisco products and distributes product updates through several channels.
Assessing Security Risk - Common Vulnerability Scoring System
Cisco uses version 2.0 of the Common Vulnerability Scoring System (CVSS) as part of its standard process of evaluating reported potential vulnerabilities in Cisco products and determining which vulnerabilities warrant a Cisco Security Advisory or other type of publication. Cisco also uses CVSS to convey vulnerability severity. The CVSS model leverages three distinct measurements or scores that include base, temporal, and environmental calculations. Cisco provides an evaluation of the base and temporal vulnerability scores, and end users are encouraged to compute the environmental score based on the parameters of their individual networks. The combination of all three scores should be considered the final score, which represents a moment in time and is tailored to a specific environment. Organizations are advised to use this final score to prioritize responses in their own environments.
More information about CVSS is available at the FIRST.org web site.
Cisco IOS Software
In direct response to customer feedback, Cisco releases bundles of Cisco IOS Software Security Advisories on the fourth Wednesday 16:00 GMT of the month in March and September of each calendar year. This schedule applies to the disclosure of Cisco IOS Software vulnerabilities and does not apply to the disclosure of vulnerabilities in other Cisco products.
All Other Products
Cisco generally discloses security vulnerabilities at 16:00 Greenwich mean time (GMT) on any given Wednesday.
Cisco reserves the right to publish an individual Cisco IOS Software or other product Security Advisory outside the published schedule. Conditions under which an out-of-cycle publication may occur include, but are not limited to, the following:
Types of Security Publications
In all security publications, Cisco discloses the minimum amount of information required for an end-user to assess the impact of a vulnerability and any potential steps needed to protect their environment. Cisco does not provide vulnerability details that could enable someone to craft an exploit.
Cisco provides the following types of security-related publications. All documents are available on the Security Intelligence Operations portal on Cisco.com.
Incident Response Eligibility
Customers with service contracts receive incident response assistance for any incident in which a Cisco product plays a significant role, regardless of whether there is an identified problem with a Cisco product.
All customers, regardless of contract status, receive free-of-charge, incident response assistance similar to that offered to contract customers for any incident that involves known or reasonably suspected security vulnerability in a Cisco product.
Cisco reserves the right to determine the type and degree of assistance it may offer in connection with any incident and to withdraw from any incident at any time. Cisco may offer customers incident response services free of charge. Cisco may give special consideration to security incidents that involve actual or potential threats to persons, property, or the Internet as well as requests from law enforcement agencies or formal incident response teams.
Security Software Updates
Cisco customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels, generally from the Cisco website. Cisco recommends contacting the TAC only with specific and imminent problems or questions.
As a special customer service, and to improve the overall security of the Internet, Cisco may offer customers free of charge software updates to address security problems. If Cisco has offered a free software update to address a specific issue, noncontract customers who are eligible for the update may obtain it by contacting the Cisco TAC using any of the means described in the Contact Summary section of this document. To verify their entitlement, individuals who contact the TAC should have available the URL of the Cisco document that is offering the upgrade.
All aspects of this process are subject to change without notice and on a case-by-case basis. No particular level of response is guaranteed for any specific issue or class of issues.
The information on this webpage is provided on an "as is" basis and does not imply any guarantee or warranty of any kind. Your use of the information on this webpage or materials linked from this webpage is at your own risk. Cisco reserves the right to change or update this webpage without notice at anytime.