The Common Vulnerability Scoring System (CVSS) Special Interest Group (SIG), in which Cisco is an active participant, acting on behalf of FIRST.org, has published a preview of the upcoming CVSS v3.0 scoring standard. The CVSS v3.0 preview represents a near final version and includes metric and vector strings, formulas, scoring examples and a v3.0 calculator – all available at the CVSS v3.0 development site. The official public comment period is scheduled to end February 28, 2015 and anyone who produces or consumes CVSS scores are encouraged to review and provide feedback to email@example.com by the close of the comment period.
“A security advisory was just published! Should I hurry and upgrade all my Cisco devices now?”
This is a question that I am being asked by customers on a regular basis. In fact, I am also asked why there are so many security vulnerability advisories. To start with the second question: Cisco is committed to protecting customers by sharing critical security-related information in a very transparent way. Even if security vulnerabilities are found internally, the Cisco Product Security Incident Response Team (PSIRT) – which is my team – investigates, drives to resolution, and discloses such vulnerabilities. To quickly answer the first question, don’t panic, as you may not have to immediately upgrade your device. However, in this article I will discuss some of the guidelines and best practices for responding to Cisco security vulnerability reports.
What is CVSS – (the Common Vulnerability Scoring System)? How can it help me manage risk – and why is it an important step forward in security research? In this short video Gavin Reid CVSS Program Chair share’s his perspective on the vulnerability scoring standard