Showing results for 
Search instead for 
Did you mean: 
Omar Santos
Cisco Employee
Cisco Employee

This is a question that I get asked all the time. I recently published an article outlining the PSIRT Services Framework. In that article, I briefly explained some of the reasons on the rise of security vulnerability reports in recent times. 

The industry has moved from counting vulnerabilities to developing maturity models on how companies find, investigate, remediate, and disclose security vulnerabilities.

Technology is evolving at a very fast pace. The number of products, software packages, and connected devices will continue to rise. One reason for the increase in reported vulnerabilities is the fact that the industry is definitely getting better at finding vulnerabilities. For instance, the National Vulnerability Database (NVD) illustrates the distribution of vulnerabilities disclosed in the industry by severity over time in a visualization at:

Because customers are demanding greater transparency, more vendors are creating PSIRTs and becoming more capable of disclosing security vulnerabilities to their customers.

Security vulnerability disclosure and remediation can be disruptive for technology operations, administrators, and end users. Our goal at Cisco is always try to reduce the number of vulnerabilities and continuously enhance our products. With that acknowledgement, it is vital to remember a few factors that drive the purpose behind our vulnerability disclosures. Most importantly, we have a high bar for transparency. At Cisco, we disclose vulnerabilities regardless of how the vulnerability was found or who found it. In fact, the majority of our disclosures are vulnerabilities that we find internally. We disclose these vulnerabilities with a goal of helping customers understand and manage their risk.

We also assign Common Weakness Enumeration (CWE) identifiers to all vulnerabilities disclosed. CWE helps us spot trends across our broad portfolio of hundreds of product lines. Cisco performs root cause analysis to enhance our Cisco Secure Development Lifecycle.

Cisco will continue to provide these resources enable customers protect against cyber threat actors. Our customers can count on our commitment to be transparent, so they can manage their risks. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: