As the cybersecurity landscape rapidly evolves, driven by groundbreaking advancements in artificial intelligence (AI), Cisco is adapting its vulnerability disclosure practices to meet the challenges and opportunities presented by these technologies. Notably, the recent introduction of frontier models with advanced cybersecurity reasoning capabilities is transforming how vulnerabilities are discovered, analyzed, and mitigated. These AI capabilities enable unprecedented speed and scale in identifying security issues, while also allowing network defenders to continuously evolve to address emerging threats. Cisco recognizes that network infrastructure is critical, and demands for availability are unrelenting. The AI evolution puts pressure on defenders to absorb and deploy software at a greater pace.
Harnessing AI to Enhance Cybersecurity
Cisco is actively leveraging advanced AI Models to accelerate finding vulnerabilities and driving remediation. Deploying these models into our security processes allows us to find and fix vulnerabilities at a pace previously unattainable. At the same time, we recognize that adversaries will also take advantage of these evolving AI capabilities, increasing the urgency and complexity of cybersecurity defense. We prioritize cutting edge technologies and research to continuously evolve our tools, techniques, and processes by incorporating capabilities such as: AI-augmented scenarios into red teaming exercises, and deep security evaluations of our products against the sophisticated tactics enabled by these models.
Prioritizing Risk to Empower Customers
Cisco has a long history of disclosing vulnerabilities. Our public facing Security Vulnerability Policy (SVP) describes our process in detail including how to report and receive vulnerability information. We continue to adjust our practices within the goals of our overall policy: security, transparency, trust.
Cisco is evolving our risk-based vulnerability disclosure model. This approach focuses on increasing the visibility of detailed technical information for vulnerabilities that pose the highest risk—those that are critical, actively exploited, or have a higher likelihood of exploitation. By prioritizing disclosures based on risk, we enable customers to focus on their patching and mitigation efforts where they are most needed and urgent.
For vulnerabilities that are found internally with and assessed as lower likelihood for exploitation and lower impact, Cisco may change the level of detail we share, moving our focus to remediation and upgrades. This means that some internally found issues that have a CVSS score in the range for a standalone advisory will no longer be communicated as standalone disclosure.
Updating the Disclosure Cycle for Lower Severity Vulnerabilities
To aid in risk management, Cisco will provide high-level data on our website for releases that contain patches for internally discovered vulnerabilities. This is intended to direct customers to security hardened releases that should be downloaded and qualified for deployment. This update to the traditional disclosure sequence allows customers to understand when releases contain general security patches. Cisco may release further data summarizing changes to the software to address the findings after the initial posting of the software.
Maintaining Our Commitment to Third-Party and Open-Source Code
Our existing practices for vulnerabilities in third-party or open-source components remain unchanged. For high severity issues in these areas, we will continue to post timely responses and provide regular updates as patches are developed and released.
Looking Ahead: The Future of AI and Cybersecurity
The capabilities of frontier AI models will continue to evolve, driving both innovation and new challenges in cybersecurity. Cisco will continue to adapt and lead in this dynamic environment by leveraging AI-driven insights for our security operations and disclosure practices. Our goal is to empower customers with timely, prioritized, and actionable information, enabling them to strengthen their security posture in an increasingly complex threat landscape.
Cisco will use our voice in the vulnerability disclosure space with the intent of driving pragmatic changes that help the industry align and scale to this expected increase in volume.
Cisco’s Product Security Incident Response Team (PSIRT) remains dedicated to collaborating with customers, researchers, and industry partners to deliver transparent, risk-focused vulnerability disclosures that reflect the realities of AI-enhanced cybersecurity.