"Our approach is to explain the risk and not say if it's a 'red' or a 'yellow' or a 'green,' " Caudill said. "We'll explain the problem and let customers decide" what to do. Caudill said Cisco has a long tradition of working with security researchers who find vulnerabilities in its products. But, he added, researchers need to be more consistent in the manner in which they disclose flaws to vendors.