Cisco stre...tches vulnerability disclosure timeline out to 90 days

Big vendors patch bugs nearly as quick as open source coders

Cisco's decided it's going to give 90 days' grace on vulnerability disclosures, to let (mostly) commercial vendors catch up with their bug-fixes.

While the best commercial vendors – especially those with bug bounties and a public pro-security stance – are getting better at responding to notifications, they're held back by laggards, Cisco Talos says.

The new policy means instead of 15 days from when Cisco turns up a vulnerability to its first report to CERT, the vendor gets 45 days before CERT is told. The report to CERT triggers its 45 day timeline.

Talos's Mitch Neff writes that proprietary software vendors' average response time of more than 80 days from report-to-patch is held back by slow responders.

The average response time among the best commercial vendors was 38 days.

The most responsive of these vendors … share some common traits,” Neff writes. “All are large commercial vendors of popular consumer software, have taken a public stance on product security, and have active bug-bounty programs.”

Cisco Disclosure Timeline

Day 0 Initial vendor contact;
Protections released to customers who use Cisco security products
Day 7 Second vendor contact if there is no response from the vendor
Day 15 Vendor notification date published on the Cisco Talos vulnerability tracker website
Day 45 Vulnerability report forwarded to CERT if there is no response from the vendor
Day 90 Vulnerability disclosed by CERT per their coordination guidelines;
Full disclosure of the vulnerability report on the Cisco Talos vulnerability tracker website after a patch or mitigation is released or the time limit expires

Their efforts mean such vendors are “competitive with Open Source companies in terms of time to patch” – with the open source world turning around patches in 42 days, on average (the best performer dropped a bug-fix on the same day it was disclosed). ®

Sponsored: Practical tips for Office 365 tenant-to-tenant migration


Keep Reading

A man wearing a VR headset in the year 2020

Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows cert-spoofing bugs, RDP flaws...

Patch Tuesday Grab your Microsoft, Adobe, SAP, Intel, and VMware fixes now
A close-up of the Windows key on a PC keyboard

Bad news: Windows security cert SNAFU exploits are all over the web now. Also bad: Citrix gateway hole mitigations don't work for older kit

Vid Good news: There is none. Well, apart from you can at least fully patch the Microsoft blunder
Woman holding keys

Leave your admin interface's TLS cert and private key in your router firmware in 2020? Just Netgear things

Finding sparks debate over bug disclosure – and how to secure a local gateway's web control panel

Cert authority Sectigo whisks infosec biz Icon Labs into IoT security kit

Secure boot, local CA for your network o' widgets, and more

Remember the Clipper chip? NSA's botched backdoor-for-Feds from 1993 still influences today's encryption debates

Enigma We'll laugh at today's mandated holes in the same way we laugh at those from 25 years ago
Faces screaming in the distance

Web body mulls halving HTTPS cert lifetimes. That screaming in the distance is HTTPS cert sellers fearing orgs will bail for Let's Encrypt

Expensive renewals once a year... or free certificates any time? Tough choice

Open-source 64-ish-bit serial number gen snafu sparks TLS security cert revoke runaround

64 bits of cert ID on the wall, 64 bits of ID. Take the top bit down, don't pass it around, 63 bits of cert ID on the wall...

US-Cert alert! Thanks to a massive bug, VPN now stands for 'Vigorously Pwned Nodes'

Multiple providers leaving storage cookies up for grabs

Biting the hand that feeds IT © 1998–2020