SAN JOSE, Calif., January 3, 2007 - The Cisco® Product Security Incident Response Team (PSIRT) will include severity scores in every security advisory that it issues in 2007 and beyond, Cisco announced today. The inclusion of these scores, which measure the risk levels posed by a particular vulnerability, or multiple vulnerabilities, is intended to help Cisco customers better prioritize their software change- and patch-management projects.
The PSIRT security advisories now include scores using base and temporal metrics, two of the three groups in the Common Vulnerability Scoring System (CVSS). The base metric group comprises seven fundamental, immutable qualities of a vulnerability, such as a system's authentication requirements . The temporal metric group represents the time-dependent qualities of a vulnerability, such as its exploitability, and comprises three components. The third metric group is not included, as it represents the implementation- and environment-specific qualities of a vulnerability that can be best determined by the customers themselves.
CVSS is a vendor-agnostic, industry-open standard designed to convey the common attributes of vulnerabilities in computer hardware and software systems. CVSS was developed as a cooperative effort between the National Infrastructure Advisory Council and a number of security industry vendors and research organizations including Cisco. The Forum of Incident Response and Security Teams (FIRST) has been designated as the custodian of CVSS to promote its adoption globally. (See: http://www.first.org/cvss/).
"The decision to include the CVSS base and temporal metrics in our security advisories is based on direct feedback from our customers requesting that Cisco provide guidance regarding vulnerabilities to facilitate more accurate risk assessments and prioritization. Customers can now compute a score allowing them to set priorities based on the risk to the specific environment," said Russ Smoak, director of technical support for Cisco PSIRT. "Over the years, many of PSIRT's policies and processes have been developed or have evolved through a number of factors, with customer feedback being one of the more important ones."
About Cisco PSIRT
Cisco's Product Security Incident Response Team (PSIRT) is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability-related information, related to Cisco products and networks. The on-call PSIRT team works 24x7 with Cisco customers, independent security researchers, consultants, industry organizations, and other vendors to identify possible security issues with Cisco products and networks. More information can be found at http://www.cisco.com/go/psirt.