Cisco develops new and improved security disclosure process
Cisco has embraced an "enhanced and simplified" view of vulnerabilities in its products.
In response to customer feedback, Cisco has embraced an “enhanced and simplified” view of vulnerabilities in its products.
It has built its own Security Impact Rating (SIR) scores to let users know how much trouble they're in when a vulnerability appears and have adopted the CVE system and Common Vulnerability Reporting Framework (CVRF) so that its bugs are depicted in standard, legible form.
The API that Cisco promises to complete in the next few months will allow customers to “customise the Cisco information and publications to meet their specific needs. It will also allow them to set up rules for automated assessment of their own networks.”
Cisco has turned on a new RSS feed of vulnerability notices in CVRF format, and directed punters to a Python parsing tool that can read the contents. The API and new formats came about since its Product Security Incident Response Team (PSIRT) admitted to past inconsistencies, saying it previously used different ways to inform people about security messes, depending on the bug's severity.