Cisco Security

Vendor Vulnerability Reporting and Disclosure Policy

Vendor Vulnerability Reporting and Disclosure Policy

This document defines the policy for the coordinated reporting and disclosure of vulnerabilities that Cisco Systems, Inc. employees find in non-Cisco products and services. In the event that vulnerabilities are found in a vendor's product or service, Cisco will attempt to contact the vendor by email to notify the vendor of such a discovery. On initial contact with the vendor, an attempt will be made to create a secure communication channel by exchanging PGP keys for encrypted email. If a secure communication channel is created successfully, an encrypted copy of the vulnerability report will be sent to the vendor through that channel. If no response to the attempt to create a secure communication channel is received within seven days, a description of the vulnerability will be supplied to the vendor in plain text. If the vendor remains unresponsive 45 days after the initial contact, the report will also be sent to the Carnegie Mellon Computer Emergency Response Team (CERT). In compliance with CERT vulnerability disclosure guidelines, the vendor will then have approximately 45 days before public disclosure of information about the vulnerability.

  Disclosure Timeline
 Day 0 
  • Initial vendor contact
  • Protections released to customers who use Cisco security products
 Day 7 
  • Second vendor contact if there is no response from the vendor
 Day 15 
  • Vendor notification date published on the Cisco Talos vulnerability tracker website
 Day 45 
  • Vulnerability report forwarded to CERT if there is no response from the vendor
 Day 90 
  • Vulnerability disclosed by CERT per their coordination guidelines
  • Full disclosure of the vulnerability report on the Cisco Talos vulnerability tracker website after a patch or mitigation is released or the time limit expires 


In the interest of coordinated vulnerability disclosure, Cisco will attempt to work with any vendor on reasonable adjustments to the timeline if progress is being made and the default timeline is not adequate for creating a patch or other type of mitigation that addresses the vulnerability. Extenuating circumstances, such as threats of any nature, may result in adjustments to disclosures and timelines.

For additional information, see the CERT disclosure guidelines.

Contact Information


  • Email address:
  • PGP key: The Cisco vendor vulnerability public key (key ID 0x0B3BB3A7) is available on multiple public key servers.


Last Updated: November 28, 2016

This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.

Cisco Security portal