Cisco pays out $8.6m for sitting on critical security bug

Cisco is paying out $8.6 million to settle a whistleblower lawsuit regarding claims they knowingly sold vulnerable video surveillance systems with major security flaws to US government agencies.

Whistleblower James Glenn claims he reported the critical vulnerability to Cisco in 2008 whilst working for a Cisco partner. Despite repeatedly making Cisco aware of the flaw they continued to sell the surveillance suite and the issue wasn’t patched until after the vulnerability was disclosed publicly on a security mailing list in 2013; over 4 years after the bug had been initially reported by Glenn.

Further Reading below:

https://arstechnica.com/information-technology/2019/08/cisco-pays-8-6-million-for-selling-surveillance-system-it-knew-was-vulnerable

https://www.securityfocus.com/archive/1/525984/30/0/threaded

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130724-vsm