Avatar

A phrase I’ve recently been hearing repeated is that “product features will come and go, but risk mitigation is continuous.”  With that in mind, our Product Security Incident Response Team (PSIRT) is doing its part by seeking ways to improve how we transparently communicate information about Cisco product vulnerabilities to our Customers and Partners.  Starting in January of 2013 we will be launching a new deliverable called the Cisco Security Notice.

The purpose of the Cisco Security Notice is to make it easier for Customers and Partners to access information about low to medium severity vulnerabilities in Cisco products.  A Cisco Security Notice will be the primary disclosure document for all security defects that PSIRT scores with a Common Vulnerability Scoring System (CVSS) base score from 4.0 to 6.9 and will be posted to the PSIRT publication listing page.  Each vulnerability disclosed through a Cisco Security Notice will be assigned a Common Vulnerability and Exposures (CVE) Identifier to aid in identification.   Check out the sites for CVE, CVSS, and this CVSS scoring calculator if these terms are relatively new to you or you simply need a refresher. 

The content of the Cisco Security Notice will include an issue summary, list of affected products along with the Cisco software defect identifier and CVSS base and temporal scores, and the products confirmed not vulnerable.  An example of this new deliverable is depicted in the graphic below:

Cisco Security Notice

The introduction of the Cisco Security Notice into the family of PSIRT disclosure documents does not affect the current process for disclosing high severity vulnerabilities via the Cisco Security Advisory. There are some key differences between these two deliverables and how they are used for vulnerability disclosure.  Some of the key similarities and differences between these two document types are listed below:

Characteristic

Cisco Security Advisory

Cisco Security Notice

CVSS base score

7.0 or greater

4.0 – 6.9

CVE assigned

Yes

Yes

Posted to PSIRT publication listing page and supported by search features

Yes

Yes

Email announcement to customer-security-announce@cisco.com upon publication

Yes

No

RSS announcement upon publication

Yes

Yes

Free software offered

Generally yes, but each Advisory will state

No

 

Check out Cisco’s Vulnerability Policy for more detailed information about the different document types, how to receive threat, vulnerability, and mitigation information, and the overall vulnerability management process.  Additionally, the following video from Cisco PSIRT Incident Manager, Omar Santos, contains information about Cisco Security Notices including how to search for issues that may affect your network.

Our goal in introducing the Cisco Security Notice is to better inform customers about potential low to medium severity risks to their network and we want to hear from you if you have questions or feedback that enables us to help you keep pace with that continuous risk mitigation cycle.



Authors

Jean Reese

Manager

Security Research & Operations