The Channel logo


By | Simon Sharwood 6th October 2015 05:26

Cisco reforms its security disclosure process

API to crunch machine-readable data feed coming your way real soon now

Cisco has reformed the way it discloses vulnerabilities in its products.

The company's adopted a new and – it says – “enhanced and simplified” view of vulnerabilities in its products, cooked up its own Security Impact Rating (SIR) scores to let you know just how deep you're in it when a vuln appears, adopted the CVE system and the Common Vulnerability Reporting Framework (CVRF) so its bugs are described in standard and machine-readable form. Making the data machine-readable will come in handy once Cisco completes its promised API it says will appear “within the next few months.” The API is promised to to let customers “customize the Cisco information and publications to meet their specific needs. It will also allow them to set up rules for automated assessment of their own networks.” Which sounds a fair bit like a “suck up all the vuln reports, sniff my network and tell me what I need to do” kind of thing, which would be nice.

Cisco's already switched on a new RSS feed of its vulnerability notices, in CVRF format, and pointed punters to a Python parsing tool that can read the contents, the better to enable

The API and new formats have come about because the Borg's Product Security Incident Response Team (PSIRT) has 'fessed up to past inconsistencies, saying it's previously used different ways of informing world+dog about security messes, depending on the severity of the bug.

As of today, all flaws get the same treatment, a nice new clear presentation on the web (see top of story or here for mobile readers) and a score on the new SIR scale, which grades bugs as follows

Security Impact Rating CVSS Score
Critical 9.0 – 10.0
High 7.0 – 8.9
Medium 4.0 – 6.9
Low 3.9 or below

Cisco's pitching these changes as a response to customer feedback. The new regime is described, formally, in this policy. ®

comment icon Be the first to post a comment! alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe