Vendor Vulnerability Reporting and Disclosure Policy
This policy sets forth the reporting and disclosure process that Cisco Systems, Inc. and its subsidiaries (collectively, “Cisco”) follow when we discover security vulnerabilities in non-Cisco products and services.
This policy must clearly state the timeline, actions, and responsibilities equally available to all non-Cisco vendors.
Vendor Vulnerability Reporting and Disclosure
If a vulnerability is found in a vendor’s product or service, Cisco will attempt to contact the vendor by email to notify the vendor of such discovery. Cisco will initially attempt to create a secure communication channel with the vendor by exchanging PGP keys for encrypted email. If a secure communication channel is successfully created, then an encrypted copy of the vulnerability report will be sent to the vendor through that channel. If no response to the attempt to create a secure communication channel is received by Cisco within seven (7) days, then a description of the vulnerability will be sent by email to the vendor in plain text.
Our approach to vulnerability disclosure is based on industry standards and the Carnegie Mellon University Computer Emergency Response Team (CERT) vulnerability policy. For additional information, see the CERT disclosure guidelines.
If Cisco discovers a vulnerability in a vendor’s product or service, it will take the following steps:
||Actions to be Taken by Cisco
| Day 0
- Initial vendor contact
- Protections released to Cisco customers for Cisco security products
- Assignment of CVE (Common Vulnerabilities and Exposures) if vendor is not a CNA (CVE Numbering Authority)
- Vendor name and report date listed on Cisco Talos vulnerability tracker website
| Day 7
- Second vendor contact if there is no response to Cisco’s initial communication
| Day 45
- Reminder email sent to the vendor with the release date of the vulnerability report
| Day 60
- If the vendor has not responded or has stopped responding, a final reminder email will be sent
| Day 90
- Disclosure of the full vulnerability report on the Cisco Talos vulnerability tracker website; however, if the vendor releases a patch or mitigation for the vulnerability before the 90th day, then Cisco will disclose the full vulnerability report immediately following vendor’s release of such patch or mitigation
- CVE publication request submitted to MITRE
In the interest of fostering coordinated vulnerability disclosure, Cisco will attempt to work with any vendor on reasonable adjustments to the above timeline if progress is being made and the 90-day default timeline is not adequate for creating a patch or other type of mitigation that addresses the vulnerability. Extenuating circumstances may result in adjustments to the disclosures and timelines when reasonably necessary.
- Email address: firstname.lastname@example.org
- PGP key: The Cisco vendor vulnerability public key (key ID 0x0E16F693) is available on multiple public key servers.
For purposes of this policy, the following definitions apply:
Last Updated: May 21, 2020
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.
Internal Reference Policy: Vendor Vulnerability Reporting and Disclosure Policy, EDCS-19537550
Owning Function: Cisco Talos
© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.