Cisco reforms its security disclosure process

API to crunch machine-readable data feed coming your way real soon now

A beautiful new Cisco vuln report
Cisco's new, improved, ever-so-easy-to-read vuln report format

Cisco has reformed the way it discloses vulnerabilities in its products.

The company's adopted a new and – it says – “enhanced and simplified” view of vulnerabilities in its products, cooked up its own Security Impact Rating (SIR) scores to let you know just how deep you're in it when a vuln appears, adopted the CVE system and the Common Vulnerability Reporting Framework (CVRF) so its bugs are described in standard and machine-readable form.

Making the data machine-readable will come in handy once Cisco completes its promised API it says will appear “within the next few months.” The API is promised to to let customers “customize the Cisco information and publications to meet their specific needs. It will also allow them to set up rules for automated assessment of their own networks.” Which sounds a fair bit like a “suck up all the vuln reports, sniff my network and tell me what I need to do” kind of thing, which would be nice.

Cisco's already switched on a new RSS feed of its vulnerability notices, in CVRF format, and pointed punters to a Python parsing tool that can read the contents, the better to enable

The API and new formats have come about because the Borg's Product Security Incident Response Team (PSIRT) has 'fessed up to past inconsistencies, saying it's previously used different ways of informing world+dog about security messes, depending on the severity of the bug.

As of today, all flaws get the same treatment, a nice new clear presentation on the web (see top of story or here for mobile readers) and a score on the new SIR scale, which grades bugs as follows

Security Impact Rating CVSS Score
Critical 9.0 – 10.0
High 7.0 – 8.9
Medium 4.0 – 6.9
Low 3.9 or below

Cisco's pitching these changes as a response to customer feedback. The new regime is described, formally, in this policy. ®

Sponsored: Technical Overview: Exasol Peek Under the Hood


Biting the hand that feeds IT © 1998–2019