Cisco Security Disclosure: Help Us Help You!
Wow! We just published our tenth bundle of Cisco IOS Software Security Advisories and what a ride it’s been!! Way back when in the fall of 2008 when we produced our first Cisco IOS Software Security Advisory bundle, we had no idea of the impact that this delivery format would have on us internally and, more importantly, on you – our customers!! The decision to deliver the biannual (on the fourth Wednesday of every March and September) Cisco IOS Software Security Advisory Bundled Publication brought with it many challenges, process changes, and—in the end—a format for Cisco Vulnerability Disclosure that we hope addresses at least some of your concerns. This format was modeled after the scheduled monthly release used by Microsoft for years, known affectionately as “Microsoft Tuesday” and based on requests we heard through discussions with many of our customers.
Historically, customers made it clear to Cisco that every release of a Product Security Incident Response Team (PSIRT) Security Advisory created significant challenges for them as organizations. Their ability to react with confidence was limited by the lack of proactive guidance from Cisco. The following is a direct quote from a Cisco customer:
“The announcements were random acts of terror that always seemed to be launched at the worst possible time. When one was announced, we had no warning and thus had a mad scramble to assemble both our Cisco team and our internal resources to understand and respond to the PSIRT. It was awful, every time. Since we didn’t know when the PSIRTs were coming, we were often caught unaware and without the proper internal resources to analyze them. And, since the PSIRTs were announced to us at the same time as our customers, we were under immense time pressure to analyze and respond to our customer queries almost instantaneously.”
As a result of this feedback from our customers, partners, and customer-facing employees regarding the security disclosure process, Cisco evolved the Cisco IOS Software Security Advisory program in 2008 to include two key elements:
- The “bundling” of Cisco IOS Software Security Advisories. Through modification of internal Cisco processes, customers are now offered a common version of code to which they can migrate for all identified issues in a specific Cisco IOS Software bundle.
- In the footsteps of Microsoft, Cisco initiated releases of Cisco IOS Software Security Advisory bundles on the fourth Wednesday of March and September of each calendar year.
So how can you help us? What we would like to get now is feedback from our customers on how the bundle delivery format has changed your lives (well, at least during working hours!), for better or for worse, when it comes to dealing with Cisco PSIRT security vulnerabilities identified in your Cisco IOS environment.
The information you provide in this survey will help Cisco to continue to evolve our vulnerability disclosure process to address your challenges and concerns, just as we did back in 2008 when we listened to you and developed the Cisco IOS Software Security Advisory bundle process.
And, as always, please visit the Cisco Security Intelligence Operations (SIO) Portal for information on the Cisco IOS Software Security Advisory bundle, as well as other collateral – best practices & white papers, the Cisco Security Blog (), Security Advisories (), Applied Mitigation Bulletins (), IntelliShield Alerts (), and IPS Signature information () – to help you detect and mitigate threats on your network.