Why Out-of-Cycle Cisco IOS Security Advisories Are a Good Thing

September 8, 2009 - 0 Comments

In the first part of 2008 we announced that we would be following a new disclosure schedule for Cisco IOS Security Advisories. This was done in response to customer feedback and the desire to make our advisory announcements more deterministic and less burdensome.

This new schedule means that we now aim to announce groups of Cisco IOS Security Advisories, called “bundles”, only twice a year: on the fourth Wednesdays in March and September. However, as mentioned in the announcement, our policy remains flexible in allowing for out-of-cycle publications where we feel extraordinary circumstances warrant. For example, we might announce issues that required industry coordination or if our assessment indicates that an earlier publication would reduce risk to our customers.

Today, on the 8th of September we did exactly that: we notified our customers of how they may be impacted by a vulnerability disclosed by a third-party coordinator. While not ideal, I believe that out-of-cycle advisories like this one are a good thing.

In a perfect world there would be no vulnerabilities in any product. However, even the most optimistic among us can understand that software as complex as Cisco IOS Software will have bugs, and that some of those bugs may expose security vulnerabilities. The responsible course of action is for us to inform our customers of vulnerabilities so that you can make the decisions you need to make: perform a software upgrade, work to mitigate the vulnerability, or do nothing.

Out-of-cycle advisories for Cisco IOS Software, like the TCP issue released today, represent active management of the disclosure process and are only released during extraordinary circumstances. Choosing to publicly release information to you, our customers, instead of waiting until the next scheduled Cisco IOS advisory bundle results in you having the credible information you need to make decisions and protect your network.

Instead, if we actively decided to not respond during these exceptional situations, you would be left with only information from a third party — information that may or may not be conclusive, helpful, or even correct. This would be a patently bad situation.

Of course we will work to minimize the number of out-of-cycle advisories for Cisco IOS Software. But rest assured, we will do all that we can so that you can make the informed decisions needed to keep your network secure.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.