[c-nsp] Prepare for router Wednesday

Clay Seaman-Kossmey ckossmey at cisco.com
Tue Mar 11 16:31:40 EDT 2008


Hello Folks -

Clay Kossmeyer here from the Cisco PSIRT.

I can see there's a lot of interest around the changes in our
vulnerability disclosure policy, and I'd like to direct you to the
following section of the announcement that can be found here on
Cisco's website:

http://www.cisco.com/en/US/products/products_security_advisories_listing.html

"This schedule change will not restrict us from promptly publishing an
individual IOS Security Advisory for a serious vulnerability which is
publicly disclosed or for which we are aware of active exploitation."

For vulnerabilities that are publicly known, or for which we see
active exploitation, we will publish Security Advisories immediately.
This has always been Cisco's policy, and remains so.

In the history of PSIRT Security Advisories, the majority of security
vulnerabilities we report on are either found through internal testing
or from a very small number of customer reports that are confirmed to
be non-malicious.  This schedule change for IOS security advisories is
designed to help customers avoid multiple 'fire-drill' software
upgrades per year for issues that do not pose an immediate security
threat.

One other point that bears mention is that although our announcement
of these vulnerabilities has moved to a six month schedule, the
availability of fixes has not.  As we discover and fix these bugs,
they are included in releases posted to cisco.com well before the
Advisory announcement date.  The actual public disclosure of
vulnerabilities is the end of the cycle so that customers who have
recently upgraded may have already deployed fixed software.

As always, we're happy to receive input on our policies.

Regards,

Clay



On Mar 11, 2008, at 9:41 AM, Robert Boyle wrote:

> At 08:43 AM 3/11/2008, you wrote:
>> http://www.techworld.com/security/news/index.cfm?RSS&NewsID=11665
>>
>> "Following the lead of Microsoft and Oracle, Cisco Systems will
>> start releasing security patches for some of its products on a  
>> schedule.
>> ...
>> The first of these scheduled updates will occur on Wednesday, 26
>> March, and Cisco will continue to release patches on a twice-yearly
>> schedule after that, Cisco said in a note posted Wednesday on its
>> website. These firmware updates will ship on the fourth Wednesday of
>> September and March each year."
>
> So we need to wait 6 months for security patches if an exploit which
> may affect us is discovered on the fourth Thursday of September?
> That's crazy! Let Enterprise customers wait if they want, I want my
> security patches ASAP so we can test them for a few days then deploy
> network wide. Does anyone else think this is not a rational change?
>
> -Robert
>
>
>
> Tellurian Networks - Global Hosting Solutions Since 1995
> http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
> "Well done is better than well said." - Benjamin Franklin
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 186 bytes
Desc: This is a digitally signed message part
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080311/8525e406/attachment.bin 


More information about the cisco-nsp mailing list