Cisco's decided it's going to give 90 days' grace on vulnerability disclosures, to let (mostly) commercial vendors catch up with their bug-fixes.

While the best commercial vendors – especially those with bug bounties and a public pro-security stance – are getting better at responding to notifications, they're held back by laggards, Cisco Talos says.

The new policy means instead of 15 days from when Cisco turns up a vulnerability to its first report to CERT, the vendor gets 45 days before CERT is told. The report to CERT triggers its 45 day timeline.

Talos's Mitch Neff writes that proprietary software vendors' average response time of more than 80 days from report-to-patch is held back by slow responders.

The average response time among the best commercial vendors was 38 days.

The most responsive of these vendors … share some common traits,” Neff writes. “All are large commercial vendors of popular consumer software, have taken a public stance on product security, and have active bug-bounty programs.”

Cisco Disclosure Timeline

Day 0 Initial vendor contact;

Protections released to customers who use Cisco security products Day 7 Second vendor contact if there is no response from the vendor Day 15 Vendor notification date published on the Cisco Talos vulnerability tracker website Day 45 Vulnerability report forwarded to CERT if there is no response from the vendor Day 90 Vulnerability disclosed by CERT per their coordination guidelines;

Full disclosure of the vulnerability report on the Cisco Talos vulnerability tracker website after a patch or mitigation is released or the time limit expires

Their efforts mean such vendors are “competitive with Open Source companies in terms of time to patch” – with the open source world turning around patches in 42 days, on average (the best performer dropped a bug-fix on the same day it was disclosed). ®