Cisco has reformed the way it discloses vulnerabilities in its products.
The company's adopted a new and – it says – “enhanced and simplified” view of vulnerabilities in its products, cooked up its own Security Impact Rating (SIR) scores to let you know just how deep you're in it when a vuln appears, adopted the CVE system and the Common Vulnerability Reporting Framework (CVRF) so its bugs are described in standard and machine-readable form. Making the data machine-readable will come in handy once Cisco completes its promised API it says will appear “within the next few months.” The API is promised to to let customers “customize the Cisco information and publications to meet their specific needs. It will also allow them to set up rules for automated assessment of their own networks.” Which sounds a fair bit like a “suck up all the vuln reports, sniff my network and tell me what I need to do” kind of thing, which would be nice.
The API and new formats have come about because the Borg's Product Security Incident Response Team (PSIRT) has 'fessed up to past inconsistencies, saying it's previously used different ways of informing world+dog about security messes, depending on the severity of the bug.
As of today, all flaws get the same treatment, a nice new clear presentation on the web (see top of story or here for mobile readers) and a score on the new SIR scale, which grades bugs as follows
|Security Impact Rating||CVSS Score|
|Critical||9.0 – 10.0|
|High||7.0 – 8.9|
|Medium||4.0 – 6.9|
|Low||3.9 or below|
Cisco's pitching these changes as a response to customer feedback. The new regime is described, formally, in this policy. ®