Understanding Red Hat's Customer Security Awareness (CSAw) process

Updated -

Red Hat Product Security reviews security vulnerabilities discovered or reported to us that affect projects and packages used by Red Hat products. Occasionally security flaws are recognized to be of great concern, or will generate significant media attention. These issues might be branded (with a name, logo, website), may be actively used in exploits "in the wild", or be a severe problem in core packages or operations of our products.

When these issues are discovered and they require a "High Touch" to ensure that fixes are expedited or that additional materials may need to be created to support the community and users, Red Hat Product Security will enact a process known as the “Customer Security Awareness Workflow” (CSAw). This process alerts key internal stakeholders and helps get required resources allocated to the correction, testing, and distribution of the fixes to our subscribers to solve the vulnerability.

This diagram shows the high-level steps involved in triaging, testing and remediating the issue, and speaks to some of the stages involved to produce the fixes needed to address the risk.

The CSAw process also helps ensure that Red Hat associates are aware of, and can assist in spreading awareness around, the facts of the issue. The goal of the process is not only the speedy delivery of patches, but also to provide clear, accurate information about the real level of risk a particular issue brings, so that when the public is made aware of the problem, the impact can calmly be assessed and thoughtful plans can be executed to mitigate and remediate the issue.

The CSAw process delivers clear documentation around the status of the issue and treatments and diagnostic information through the Vulnerability Response Center on the Red Hat Customer Portal. Here, full details around the vulnerability can be clearly seen, details about severity scoring, and CVE information can be accessed from this one central location. Quick links to security advisories are also provided.

Along with the notifications and patches, Red Hat Product Security will provide mitigations as available, detection scripts that subscribers can download and use within their own environments, and Ansible Playbooks that can be leveraged to discover and oftentimes remediate vulnerabilities.

As the fixes are provided, Red Hat Product Security uses an array of communications channels to provide information in the format readers desire (traditional knowledgebase articles, email alerts, social media alerts, etc.). Red Hat Insights subscribers will be instantly alerted of the issue, the exact scope of where the customer is vulnerable, and will often have remediation options provided for them.