Red Hat Security Embargo Policy

Embargoed vulnerabilities are not publicly disclosed. Information is limited to key stakeholders on a need-to-know basis and can assist with the security process. An embargoed vulnerability must be kept private (the fix, security information, and typically, the very existence of the vulnerability) until the Coordinated Release Disclosure (CRD) date.

Red Hat must treat information received from any party in relation to a non-public vulnerability in strict confidence. Red Hat will not disclose information to a third party or partner without the originator’s permission. All artifacts related to embargoed issues will be treated as RH-RESTRICTED per Red Hat Data Classifications.

Red Hat and Product Security take the handling of embargoed flaws extremely seriously. Disclosing any information regarding an embargoed vulnerability to the public or an individual not authorized to have the information is considered an embargo breach.