At Cisco, our leadership made the decision over twenty four years ago that we would clearly publicly communicate security vulnerabilities or other issues that could potentially expose customers to risk. This is when the Cisco Product Security Incident Response Team (PSIRT) was born. Our team and the security vulnerability process has evolved to meet customer needs for over the last two decades.

The industry has also evolved and many other vendors have created PSIRTs to better protect their customers. However, some vendors are just getting started. This is why the Forum of Incident Response and Security Teams (FIRST) created the Product Security Incident Response Team (PSIRT) Framework. The main purpose of this framework is to help organizations create, maintain, and grow capabilities related to product security and security vulnerability disclosure. This is a collaborative effort that presents different capabilities, services and outcomes of a PSIRT.

The Framework identifies core responsibilities of PSIRT teams, providing guidance on how to build capabilities to investigate and disclose security vulnerabilities, along with remediations, to their customers in a transparent way.

Is This Why There Are So Many Vulnerability Reports Nowadays?

Technology is evolving at a very fast pace. The number of products, software packages, and connected devices will continue to rise. One reason for the increase in reported vulnerabilities is the fact that the industry is definitely getting better at finding vulnerabilities. For instance, the following figure, created by the National Vulnerability Database (NVD), illustrates the distribution of vulnerabilities disclosed in the industry by severity over time.

Because customers are demanding greater transparency, more vendors are creating PSIRTs and becoming more capable of disclosing security vulnerabilities to their customers.

Security vulnerability disclosure and remediation can be disruptive for technology operations, administrators, and end users. Our goal at Cisco is always try to reduce the number of vulnerabilities and continuously enhance our products. With that acknowledgement, it is vital to remember a few factors that drive the purpose behind our vulnerability disclosures. Most importantly, we have a high bar for transparency. At Cisco, we disclose vulnerabilities regardless of how the vulnerability was found or who found it. In fact, the majority of our disclosures are vulnerabilities that we find internally. We disclose these vulnerabilities with a goal of helping customers understand and manage their risk.

We also assign Common Weakness Enumeration (CWE) identifiers to all vulnerabilities disclosed. CWE helps us spot trends across our broad portfolio of hundreds of product lines. Cisco performs root cause analysis to enhance our Cisco Secure Development Lifecycle.

Cisco will continue to provide these resources enable customers protect against cyber threat actors. Our customers can count on our commitment to be transparent, so they can manage their risks.

PSIRTs Working Together

PSIRTs must work together to protect the ecosystem! As stated in the PSIRT Services Framework: