Introducing a New Addition to Cisco’s Security Impact Rating
The Cisco Product Security Incident Response Team (PSIRT) is committed to protecting customers by sharing security-related information in a timely manner and in different formats. Although some of the information that we receive may not relate to a specific vulnerability or issue in a Cisco product, the information may be valuable to our customers. For this reason, PSIRT is introducing a new Security Impact Rating (SIR) for Cisco Security Advisories: Informational.
The Informational rating gives PSIRT the flexibility to provide important security information that may not fit into the traditional Critical, High, Medium, and Low range of SIR values for our security advisories. In advisories that have an Informational SIR, we’ll cover topics such as:
- Information discussed in a public forum
- Configuration suggestions
- General, proactive security outreach
The format of these advisories will be the same as any other type of Cisco Security Advisory. The following figure shows an example of a Cisco Security Advisory that has an Informational SIR:
Key differences from other advisories are the color and text in the advisory badge and the possible absence of Cisco bug IDs, a CVE ID, a CWE ID, and CVSS scores. This is due to the nature of the Informational advisory. Unlike advisories with other SIR values, Informational advisories are likely to discuss potential issues, not proven vulnerabilities or vulnerabilities that affect Cisco products. To learn how the new Informational SIR value compares to existing SIR values, see the Assessing Security Risk section of the Cisco Security Vulnerability Policy.
Like other Cisco Security Advisories, PSIRT will publish Informational Security Advisories to the Cisco Security Portal and they will be available from the Cisco Security Advisories and Alerts page. On this page, you can sort advisories and apply various filters, including a SIR-based filter, to find what you are looking for. Also like other Cisco Security Advisories, you can use various methods to be notified when we publish an Informational advisory. For information about the different ways that you can receive security vulnerability information from Cisco, see the Cisco Security Vulnerability Policy.
Note that Informational Security Advisories replace a previous publication type, Cisco Security Responses. In the past, PSIRT used Cisco Security Responses to address issues that required a response to information discussed in a public forum, such as a blog or discussion list. The responses were typically published if a third party made a public statement about a security issue or vulnerability in a Cisco product. PSIRT will now use Informational Security Advisories to respond to these statements. To ensure that you have a consistent experience finding and reviewing this information, PSIRT converted existing Cisco Security Responses to Cisco Security Advisories that have a SIR value of Informational, and we retained the revision history of each publication.