A Culture of Transparency
Many Cisco customers with an interest in product security are aware of our security advisories and other publications issued by our Product Security Incident Response Team (PSIRT). That awareness is probably more acute than usual following the recent Cisco IOS Software Security Advisory Bundled Publication on September 25. But many may not be aware of the reasoning behind why, when, and how Cisco airs its “dirty laundry.”
Our primary reason for disclosing vulnerabilities is to ensure customers are able to accurately assess, mitigate, and remediate the risk our vulnerabilities may pose to the security of their networks.
In order to deliver on that promise, Cisco has has made some fundamental and formative decisions that we’ve carried forward since our first security advisory in June 1995.
Transparency Builds Trust
One of the first decisions we made was to publish our critical product vulnerabilities publicly, for all to see.
All Cisco Security Advisories are published to the Cisco Security Intelligence Operations (SIO) Portal, so even people without an active Cisco service contract can see them. Cisco also publishes its advisories to an opt-in mailing list with tens of thousands of subscribers, an RSS feed, and multiple industry-wide security forums. In 2013, Cisco also began publishing security notices to make it easier for customers to access information about low to medium severity vulnerabilities in Cisco products.
All this supports our fundamental goal to reach every potentially impacted Cisco customer at the same time. We believe that adopting a limited-distribution approach that relies on support contracts, sales orders, or other collected data doesn’t go far enough. It is far better to notify broadly, than miss an opportunity to reach an impacted customer.
However, this commitment to transparency isn’t exclusive to security issues. All Cisco bugs made public by Cisco are available for registered customers to view in the Cisco Bug Search Tool. This web-based tool acts as a gateway to the Cisco bug tracking system, and provides customers with detailed defect information about Cisco hardware and software products. A recent update to the Bug Search Tool also allows registered guest users (with no active support contract) to look up bugs in our bug database.
Note: Cisco’s Security Vulnerability Policy includes more detailed information about the different document types, how to receive threat, vulnerability, and mitigation information, and the overall vulnerability management process.
Forewarned is Forearmed
We made another key decision to disclose all our vulnerabilities, regardless of how they are discovered. Like most software companies these days, a good number of the vulnerabilities we disclose are reported to us by an external party. We have a number of sources including direct customer reports, cooperative security researchers, security conference presentations, and announcements to public mailing lists. We want all vulnerabilities that are customer-impacting or being discussed in a public forum to be investigated and disclosed as soon as possible.
But what may surprise you is that more than 60 percent of the vulnerabilities published by Cisco are found internally, ahead of any known customer impact. We know that if we can discover a vulnerability, then there’s always the possibility that someone else could find and potentially exploit it. Regardless of how small the risk may seem, if a vulnerability exists in a product that has been shipped to customers, we will disclose it.
Prompt and Fair Disclosure
One of the best ways to minimize the risk of a vulnerability is to minimize the amount of time between discovery and disclosure.
Cisco considers a few factors when determining the best time to publish our security advisories, including (in no particular order):
- Completed investigation and root cause analysis
- Availability of fixed software
- Availability of device mitigations or workarounds
- Coordination with researchers, third-party coordination centers (e.g. CERT/CC, CERT-FI, etc.), and other vendors in forums like the Industry Consortium for Advancement of Security on the Internet (ICASI)
One factor that trumps all else is public knowledge (or worse, active exploitation) of a vulnerability. If Cisco becomes aware of this situation, then we will publish our document immediately. Even if the advisory is incomplete, we believe it is better to inform our customers as soon as possible, so they can make their own decisions about when and how to protect their networks.
Our customers can also rely on the fact that we provide equal and simultaneous access to security vulnerability information for everyone globally. We do not allow the sharing of vulnerability information with any external party prior to the publication of our public-facing document.
Connecting the Dots
Notifying customers is only the first step. With the ever-increasing number of vulnerability information sources, ensuring customers can correlate and prioritize Cisco vulnerabilities across a diverse network is critical. That’s why we also take the time to provide additional, actionable information.
In 2008, Cisco began including the following two key elements in its security advisories:
- Common Vulnerabilities and Exposures (CVE) Identifiers
- Common Vulnerability Scoring System (CVSS) scores
Using the CVE as a common identifier, customers can view a given vulnerability across multiple products. A particular vulnerability could span multiple Cisco product lines, or in the case of an industry-wide disclosure, across multiple vendors as well. A recent example is the OSPF LSA Manipulation Vulnerability (CVE-2013-0149).
The Common Vulnerability Scoring System uses a 0-to-10 scale to represent the severity of a vulnerability (10 being the worst). This scoring process provides an objective view of a vulnerability’s traits, so customers can compare vulnerabilities and prioritize their response.
Note: Cisco has provided a CVSS calculator that allows customers to compute the environmental impact for individual networks:
The Cisco PSIRT takes all appropriate steps to notify customers about Cisco vulnerabilities that could have an impact on their network. Our goal is to disclose accurate, neutral, and actionable information, focused on the technical remediation and mitigation of security vulnerabilities.
Over the years, we’ve responded to customer feedback and enhanced our process, to assist users in the triage, mitigation, and remediation of vulnerabilities. We’ve also combined the predictability of a planned, twice-yearly Cisco IOS bundle with the ability to react at a moment’s notice, if needed.
While our process has evolved significantly since our very first IOS advisory in 1995, our core principles in the handling of security vulnerabilities haven’t changed: Transparency before anything else, and a level playing field for all our customers.