This policy was created to guide and inform Cisco customers in the event of a reported vulnerability in a Cisco product or cloud-hosted service. It ensures that Cisco customers have a consistent, unambiguous resource to help them understand how Cisco responds to events of this nature.
This policy clearly states how Cisco addresses reported security vulnerabilities in Cisco products and cloud-hosted services, including the timeline, actions, and responsibilities that apply to all customers.
Members of the media with queries about Cisco security vulnerability information can contact media_pr@cisco.com.
Cisco product development practices specifically prohibit any intentional behaviors or product features that are designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions. These include, but are not limited to:
Cisco considers such product behaviors to be serious vulnerabilities. Cisco will address any issues of this nature with the highest priority and encourages all parties to report suspected vulnerabilities to the Cisco PSIRT for immediate investigation.
For more information, see Cisco Secure Development Lifecycle (CSDL).
The Cisco Product Security Incident Response Team (PSIRT) is responsible for responding to Cisco product security incidents. The Cisco PSIRT aligns its practices with ISO/IEC 29147:2018, which are guidelines for disclosure of potential vulnerabilities established by the International Organization for Standardization.
The Cisco PSIRT is a dedicated, global team that receives, investigates, and publicly reports information about security vulnerabilities and issues related to Cisco products and services. The Cisco PSIRT works with Cisco customers and vendors, independent security researchers, consultants, and industry organizations to identify possible security vulnerabilities and issues with Cisco products and networks.
Cisco defines a security vulnerability as a weakness in the computational logic found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, or availability. Cisco reserves the right to deviate from this definition based on specific circumstances.
Individuals or organizations that are experiencing a product security issue are strongly encouraged to contact the Cisco PSIRT. Cisco welcomes reports from independent researchers, industry organizations, vendors, customers, and other sources concerned with product or network security.
To contact the Cisco PSIRT, use one of the methods in the following table:
For general security concerns about Cisco products and cloud-hosted services, the Cisco Technical Assistance Center (TAC) can provide configuration and technical assistance. The Cisco TAC can also help with non-critical security incidents and software upgrades for security bug fixes. To contact the Cisco TAC, use one of the following methods:
Cisco TAC Support — Available 24 hours a day, 7 days a week
+1 800 553 2447 (toll-free within North America)
+1 408 526 7209 (international direct dial)
Additional TAC numbers: Customer Service Contacts
All customers, regardless of support contract status, may be eligible to receive reasonable support for security incidents that impact them that involve Cisco products or services.
Customers with support contracts should follow their normal support process to engage Cisco. Any customer who does not hold a support contract must contact Cisco by telephone and request that a support case be opened on an exception basis. The customer should be prepared to share serial number(s), the software release, and a detailed description of the concern and request that the Cisco PSIRT be engaged.
If the concern is in currently supported hardware or software products, the Cisco PSIRT, at the request of the Cisco TAC, will make a reasonable effort to validate the concern, collect required data, and report the findings back to the customer. Further in-depth analysis, assessment of “lateral” impact, or detailed characterizations of sources and other impacts are beyond the scope of the Cisco PSIRT and require that customers engage a full-service forensics analysis and impact assessment provider.
There are several ways to stay connected and receive the latest security vulnerability information from Cisco. Refer to the the following table and see the matrix of security publications to determine the best channel for your needs.
Cisco Security Portal
https://www.cisco.com/security
This website provides Cisco security information and security vulnerability documents, including relevant security products and services.
Cisco PSIRT openVuln API
https://developer.cisco.com/psirt/
This RESTful API allows customers to obtain Cisco security vulnerability information in different machine-consumable formats.
My Notifications
https://www.cisco.com/c/en/us/support/web/tools/cns/notifications
Create customized notifications to receive important Cisco product and technology information, including Cisco Security Advisories.
Customer Security Announcement Email
To subscribe, email cust-security-announce-join@cisco.com. (The content of the message does not matter.) You will receive a confirmation email, further instructions, and a list policy statement.
To unsubscribe from the cust-security-announce mailing list, email cust-security-announce-leave@cisco.com with the word "unsubscribe" in the subject line.
For details, see the Details About the Cisco Customer Security Announcement Email section after this table.
RSS Feed
http://sec.cloudapps.cisco.com/security/center/rss.x?i=44
These feeds are free and do not require an active Cisco.com registration.
All information provided through the channels listed in the preceding table is point-in-time, meaning that the information was accurate at the time it was published or distributed. The most up-to-date information about security vulnerabilities in Cisco products and software is available through the Cisco Bug Search Tool. This web-based tool is a gateway to the Cisco bug tracking system. The Bug Search Tool Help page has information on where to find Cisco bug IDs and how to use the tool.
Cisco Security Advisories provide information about security vulnerabilities of Critical, High, and Medium severity. They are clear-signed with the Cisco PSIRT PGP public key and distributed to the external cust-security-announce mailing list. The Cisco PSIRT may also send Informational advisories to the cust-security-announce mailing list.
Emails are sent for the initial release of and major revisions to Cisco Security Advisories. A major revision is defined as a revision that Cisco PSIRT determines to be a significant change to advisory content that is related to how customers should address the vulnerability. Examples of a major advisory change include, but are not limited to, changes to the affected products list, changes in Security Impact Rating, changes in mitigations or workarounds, and changes to fixed releases information. If a document undergoes a minor revision, the update will be posted to Cisco.com without an accompanying email. Customers who require automated alerts for minor revisions should subscribe to the Cisco Security Advisory RSS feed or My Notifications. All Security Advisories on Cisco.com are displayed in chronological order, with the most recent advisories and updates appearing at the top of the page.
To subscribe to the cust-security-announce mailing list, email cust-security-announce-join@cisco.com using the email account that you wish to have subscribed. (The content of the message does not matter.) You will receive confirmation, instructions, and a list policy statement.
To unsubscribe from the cust-security-announce mailing list, email cust-security-announce-leave@cisco.com using the email account that you wish to have unsubscribed and put the word "unsubscribe" in the subject line. (The content of the message does not matter.) You will receive a confirmation notice, to which you need to reply to be unsubscribed. You will not be unsubscribed unless you reply to the confirmation email.
Important: Requests to subscribe must be sent to cust-security-announce-join@cisco.com, and requests to unsubscribe must be sent to cust-security-announce-leave@cisco.com — not to the cust-security-announce@cisco.com email address itself. You must send the messages from the email account that you want to be subscribed to or unsubscribed from the list.
The Cisco PSIRT investigates all reports of product security vulnerabilities, regardless of the Cisco software code version or product lifecycle status, until the product reaches the Last Day of Support (LDoS). Issues will be prioritized based on the potential severity of the vulnerability and other environmental factors. Ultimately, the resolution of a reported incident may require upgrades to products and cloud-hosted services that are under active support from Cisco. As a best practice, Cisco strongly recommends that customers periodically verify that their products are under active support to ensure that they have access to the latest software updates and other benefits.
During any investigation, the Cisco PSIRT manages all sensitive information on a highly confidential basis. Internal distribution is limited to those individuals who have a legitimate need to know and can actively assist in the resolution.
Incidents reports by third parties: Throughout the investigative process, the Cisco PSIRT strives to work collaboratively with the incident reporter to assess the nature of the vulnerability, gather required technical information, and determine appropriate remedial action. When the initial investigation is complete, results will be delivered to the incident reporter along with a plan for resolution and public disclosure, as applicable.
The Cisco PSIRT will coordinate with the incident reporter to determine the frequency of status updates on the incident and documentation updates.
The Cisco PSIRT asks incident reporters to maintain strict confidentiality until complete resolutions are available for customers and have been published by the Cisco PSIRT on the Cisco website through the appropriate coordinated disclosure.
With the agreement of the incident reporter, the Cisco PSIRT may acknowledge the reporter's contribution during the public disclosure of the vulnerability.
Incidents that may impact other vendors: The Cisco PSIRT works with third-party coordination centers such as the Computer Emergency Response Team Coordination Center (CERT/CC), Computer Emergency Response Team of Finland (CERT-FI), Japan Computer Emergency Response Team (JP-CERT), and National Protective Security Authority (NPSA) to manage a coordinated industry disclosure for vulnerabilities reported to Cisco that may impact multiple vendors (for example, a generic protocol issue). In these situations, the Cisco PSIRT will either assist the incident reporter with contacting the coordination center or do so on the incident reporter’s behalf.
Cisco will protect customer-specific data at all times throughout this process. Specifically, Cisco will not share any customer-specific data unless directed to do so by the affected customer or as required by a legal investigation.
Incidents discovered during services delivery: If a new or previously undisclosed security vulnerability is found during a Cisco Services engagement with a customer, Cisco will follow the Cisco Product Security Incident Response Process. Vulnerabilities found in Cisco products and cloud-hosted services will be handled by the Cisco PSIRT according to this Cisco Security Vulnerability Policy.
If the vulnerability is in another vendor’s product, Cisco will follow the Cisco Vendor Vulnerability Reporting and Disclosure Policy unless the affected customer wishes to report the vulnerability to the vendor directly; in that case, Cisco will facilitate contact between the customer and the vendor and will notify CERT/CC (or its national equivalent).
Cisco offers multiple cloud-hosted services that are used by customers but are maintained, patched, and monitored by Cisco.
The Cisco PSIRT responds to vulnerabilities in Cisco cloud-hosted services and works closely with the teams that operate them. These operational teams ensure that security vulnerabilities are fixed and that patches are deployed to all customer instances in a timely manner.
Typically, service-related security events are communicated to customers by the service teams through direct notification or through the service dashboard or portal. In some instances, Cisco may disclose vulnerabilities through Security Advisories for Cisco cloud-hosted services in coordination with the service teams.
In most cases, no user action is required because Cisco regularly patches cloud-hosted services.
If there is a vulnerability in a third-party software component that is used in a Cisco product, Cisco typically uses the CVSS score provided by the component creator. Cisco may adjust the CVSS score to reflect the circumstances that are specific to Cisco products.
Cisco will consider a third-party vulnerability “high profile” if it meets the following criteria:
For high profile, third-party vulnerabilities, Cisco will begin assessing potentially impacted products and cloud-hosted services that have not reached the LDoS and publish a Security Advisory. Known affected Cisco products and cloud-hosted services will be detailed in updates to the initial Security Advisory. A Cisco bug will be created for each vulnerable product so that registered customers can view them using the Cisco Bug Search Tool. Third-party vulnerabilities that are not classified as high profile will be disclosed in a Release Note Enclosure (RNE).
Cisco Vulnerability Repository
The Cisco Vulnerability Repository (CVR) is a vulnerability search engine for CVEs that were published in 2018 or later that may impact Cisco products. The CVR can help customers understand if their Cisco product is affected by a particular third-party software vulnerability. Customers may request a Vulnerability Exploitability eXchange (VEX) document for any CVE in the CVR.
This tool also displays any Cisco Security Advisories that are associated with a CVE. At this time, The CVR does not include Cisco cloud offers. For help with a product not listed in this tool, use the Feedback link on the CVR page or contact your support organization.
Cisco uses Version 3.1 of the Common Vulnerability Scoring System (CVSS) as part of its standard process of evaluating reported potential vulnerabilities that do not have a CVE in Cisco products and cloud-hosted services. This CVSS model uses three distinct measurements, or scores: Base, Temporal, and Environmental. Cisco will provide an evaluation of the Base vulnerability score and, in some instances, the Temporal vulnerability score. End users are encouraged to compute the Environmental score based on their network parameters. The combination of all three scores should be considered the final score, which represents a moment in time and is tailored to a specific environment. Organizations are advised to use this final score to prioritize responses in their own environments.
In addition to CVSS scores, Cisco uses the Security Impact Rating (SIR) as a way to categorize vulnerability severity in a simpler manner. The SIR is based on the CVSS Base score. It may be adjusted by PSIRT to account for Cisco-specific variables and is included in every Cisco Security Advisory. Cisco uses the following guidelines to determine the Cisco Security Advisory type for vulnerabilities in Cisco-authored, customer-managed software. Security Advisories for Critical, High, and Medium SIRs include fixed software information.
| Type | CVSS Score | CVE | Fix Information | Machine-readable Format |
|---|---|---|---|---|
 | 9.0 – 10.0 | Yes | Security Advisory1 Bug Search Tool | RSS, CSAF |
 | 7.0 – 8.9 | Yes | Security Advisory1 Bug Search Tool | RSS, CSAF |
 | 4.0 – 6.9 | Yes | Security Advisory1 Bug Search Tool | RSS, CSAF |
 | Not applicable | No | Bug Search Tool, if applicable | RSS, CSAF |
1. Detailed fix information for Cisco IOS, IOS XE, NX-OS, FXOS, Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC) Software can be obtained using the Cisco Software Checker.
Issues with a Low SIR are typically published as a bug Release Note Enclosure (RNE) and not as a Security Advisory.
Cisco reserves the right to deviate from these guidelines in specific cases if additional factors are not properly captured in the CVSS score.
If there is a security issue with a third-party software component that is used in a Cisco product, Cisco typically uses the CVSS score provided by the third party. In some cases, Cisco may adjust the CVSS score to reflect the impact to the Cisco product.
Note: Cisco is a Common Vulnerabilities and Exposures (CVE) Numbering Authority and will assign CVE IDs to Cisco software vulnerabilities from the MITRE block of IDs that are assigned to the company for this purpose. Cisco does not assign CVE IDs for reported vulnerabilities until the vulnerabilities have been confirmed by Cisco. After vulnerabilities are published, Cisco provides CVE details to MITRE for inclusion in its database.
Cisco generally does not publicly disclose security vulnerabilities in a Cisco product until the Cisco PSIRT has completed the incident response process and determined that enough software patches or workarounds exist to address the vulnerability. Cisco may, however, expedite disclosure of a security vulnerability in the following situations:
All Cisco security publications are disclosed to customers and the public simultaneously.
When coordinating disclosure with third parties, the Cisco PSIRT will attempt to provide notification of any changes to the Cisco PSIRT public disclosure schedule.
As documented in the Channels for Security Vulnerability Information from Cisco section of this document, Cisco delivers technical security information about software fixes in Cisco products and distributes product updates through several channels. Cisco reserves the right to deliver technical security information in a manner that deviates from this policy on an exception basis.
Cisco generally discloses Cisco Security Advisories at 1600 Greenwich Mean Time (GMT) on any given Wednesday.
In direct response to customer feedback, Cisco releases the following bundles of Cisco Security Advisories at 1600 GMT on a regular schedule twice each year. This schedule applies to the disclosure of vulnerabilities in the following Cisco products and does not apply to the disclosure of vulnerabilities in other Cisco products.
| Cisco Products | |
|---|---|
| Cisco FXOS and NX-OS Software | Fourth Wednesday of February and August |
| Cisco IOS XR Software | Second Wednesday of March and September |
| Cisco IOS and IOS XE Software | Fourth Wednesday of March and September |
Cisco reserves the right to publish an individual Security Advisory for Cisco IOS and IOS XE Software, Cisco IOS XR Software, or Cisco FXOS and NX-OS Software or other products outside the published schedule. Conditions under which an out-of-cycle publication may occur include, but are not limited to, the following:
In all security publications, Cisco discloses the information required for customers to assess the impact of a vulnerability and any potential steps needed to protect their environments. Cisco does not provide vulnerability details that could enable someone to craft an exploit.
Cisco provides the following types of security-related publications on the Cisco Security Portal on Cisco.com.
Cisco Security Advisories
Cisco Security Advisories provide detailed information about certain security issues that directly involve Cisco products and cloud-hosted services and that require an upgrade, fix, or other customer action. Security Advisories are used to disclose vulnerabilities in Cisco-authored software or in high-profile third-party software with a Critical, High, or Medium SIR. The Cisco PSIRT validates only the affected and fixed release information that is documented in the advisory.
Cisco Security Advisories are point-in-time documents. Information should be considered up to date as of the time and date of the last publication update as indicated by the Last Updated field in the advisory header.
All Cisco Security Advisories that disclose vulnerabilities with a Critical, High, or Medium SIR include an option to download Common Security Advisory Framework (CSAF) content. CSAF is an industry standard designed to depict vulnerability information in machine-readable format. This machine-readable content can be used with other tools to automate the process of interpreting data contained in a Security Advisory.
Cisco occasionally publishes Informational Security Advisories to address issues that require a response to information discussed in a public forum, such as a blog or discussion list. Informational advisories are normally published if a third party makes a public statement about a Cisco product vulnerability. Informational advisories may also be used to proactively notify customers about a security-related issue that is not a vulnerability. Informational advisories are not used as a disclosure mechanism for any Cisco vulnerabilities but instead for sharing information on security incidents that may impact Cisco products and that may be of interest to Cisco customers.
| Security Advisory Terms and Conventions |
|---|
| Fixed Release Availability: If a future release date is indicated for software, the date provided represents an estimate based on all information known to Cisco as of the Last Updated date at the top of the advisory. Availability dates are subject to change based on a number of factors, including satisfactory testing results and delivery of other priority features and fixes. If no version or date is listed for an affected component (indicated by a blank field and/or an advisory designation of Interim), Cisco is continuing to evaluate the fix and will update the advisory as additional information becomes available. After the advisory is marked Final, customers should refer to the associated Cisco bug(s) for further details. |
The designated Security Advisory status indicates the following: Interim: The Cisco investigation is ongoing. Cisco will issue revisions to the advisory when additional information, including fixed software release data, becomes available. Final: Cisco has completed its evaluation of the vulnerability described in the advisory. There will be no further updates unless there is a material change in the nature of the vulnerability. |
Cisco Event Responses
Cisco Event Responses provide information about security events that have the potential for widespread impact on customer networks, applications, and devices. Cisco Event Responses contain summary information, threat analysis, and mitigation techniques that feature Cisco products and cloud-hosted services. They are normally published under the following circumstances:
Release Note Enclosures
Release Note Enclosures (RNEs) are used to disclose issues with a Low SIR and most third-party software vulnerabilities. All Cisco bug IDs that are disclosed by Cisco are available for registered customers to view in the Cisco Bug Search Tool.
If a Cisco Security Advisory references a bug, the bug entry in the Cisco Bug Search Tool will link to the relevant Cisco Security Advisory.
Any Cisco bug that has been evaluated by the Cisco PSIRT includes a PSIRT Evaluation section in its RNE. This section includes, where Cisco deems appropriate and relevant, Base and Temporal CVSS scores and a CVE ID. Customers are invited to use this additional information at their discretion and correlate Cisco bugs with industry events. This information is not intended to supplement any standard Cisco warranties that are applicable to the software as stated in the Cisco End User License Agreement.
Free software updates will not be provided for issues that are disclosed through an RNE. Customers who wish to upgrade to a software release that includes fixes for those issues should contact their normal support channels. Any exception to this policy will be determined solely at the discretion of Cisco.
The following table summarizes the methods used to notify customers about the aforementioned security publications. Exceptions may be made on a case-by-case basis to increase communication for a given document.
| Publication | Security Portal | RSS | My Notifications (CNS) | openVuln API | Bug Search Tool | |
|---|---|---|---|---|---|---|
| Cisco Security Advisory—Critical and High Severity | Yes | Yes | Yes | Yes | Yes | Yes |
| Cisco Security Advisory—Medium Severity | Yes | Yes | Yes | Yes | Yes | Yes |
| Cisco Security Advisory—Informational | Yes | Yes | Yes | No | No | Yes |
| Cisco Event Response | No | Yes | Yes | No | No | No |
| Release Note Enclosure | No | No | No | No | No | Yes |
The Cisco PSIRT will investigate and disclose vulnerabilities in Cisco products and services from the date of First Commercial Shipment (FCS) to the LDoS. Cisco customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels, generally from the Cisco website for the relevant product. Cisco recommends contacting the Cisco TAC only with specific and imminent problems or questions.
As a special customer service, and to improve the overall security of the internet, Cisco may offer customers free software updates to address high-severity security problems. The decision to provide free software updates is made on a case-by-case basis. Refer to the Cisco security publication for details. Free software updates will typically be limited to Critical- and High-severity vulnerabilities.
Fixes for some third-party software vulnerabilities may be available only in the most recent major software releases and not backported to older releases.
If Cisco has offered a free software update to address a specific issue, noncontract customers who are eligible for the update may obtain it by contacting the Cisco TAC using any of the methods described in the General Security-Related Queries section of this document.
Note: To verify their entitlement, individuals who contact the Cisco TAC should have available the URL of the Cisco document that is offering the update.
Customers may download, install, and expect support only for software releases and feature sets for which they have purchased a valid license that is current and active. By installing, downloading, accessing, or otherwise using such software updates, customers agree to follow the terms of the Cisco software license agreement. In most cases, the software update will be a maintenance release to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
After End of Sale (EoS), the availability of security fixes for vulnerabilities is defined in the product’s EoS bulletin. (See the End-of-Life Policy for details.) The EoS bulletin may define the Last Day of Support (LDoS) milestone, which identifies the last date that Cisco will investigate and disclose product vulnerabilities.
Once the LDoS has been reached, the Cisco PSIRT will continue to accept vulnerability reports but will not analyze, fix, or disclose potential vulnerabilities. To this end, the Cisco PSIRT will not issue CVEs for issues reported on products that are past the LDoS milestone.
All aspects of this process are subject to change without notice and on a case-by-case basis. No particular level of response is guaranteed for any specific issue or class of issues.
For information on Cisco Bug Bounty programs, see Bug Bounty Programs at Cisco.
Last Updated: 2025 September 8
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.
Internal Reference Policy: Security Vulnerability Policy, EDCS-19443599
Owning Function: Cisco PSIRT
© 2025 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
