This page answers some frequently asked questions about Red Hat's security portfolio.

• CVSS
  • Does Red Hat support Common Vulnerability Scoring System (CVSS)?
• CVE
  • What is the CVE project?
  • Where can I go to find more information about CVE?
  • Who else uses CVE names?
  • What is the difference between a CVE entry and a candidate?
  • Why does the CVE website tell me a name you referenced is not found?
  • Which Red Hat services use CVE names?
  • What is Red Hat doing with the CVE project?
• Miscellaneous
  • What is the OVAL project?

CVSS

Does Red Hat support Common Vulnerability Scoring System (CVSS)?

Red Hat has been involved in CVSS for several years. Learn more about Red Hat and CVSS here.

CVE

What is the CVE project?

The Common Vulnerabilities and Exposures (CVE) project, maintained by The MITRE Corporation, is a list of standardized names for vulnerabilities and security exposures. Learn more at http://cve.mitre.org/.

Where can I go to find more information about CVE?

Refer to the CVE website for information about the CVE project, naming, and various processes.

Who else uses CVE names?

Many organizations use CVE names as part of their security services. More details can be found on the CVE website. In January 2002, the National Institute of Standards and Technology (NIST) issued a draft recommendation that government organizations adopt CVE standard solutions throughout their security infrastructure.

We hope our commitment to the CVE project will encourage other open source vendors to become more actively engaged in this initiative.

What is the difference between a CVE entry and a candidate?

CVE candidates are those vulnerabilities or exposures under consideration for acceptance into CVE. Prior to October 19, 2005, candidates were assigned names with the CAN- prefix to distinguish them from official CVE entries. The CAN- prefix was no longer used after October 19, 2005, although it may still be referenced in older Red Hat publications and advisories.

A CVE name is an encoding of the year the name was assigned and a unique number, N, for the Nth number of names assigned that year. For example, CVE-2002-0067 was assigned a unique number in 2002 and was the 67th name assigned that year.

Why does the CVE website tell me a name you referenced is not found?

In many cases, the security issues our advisories address are not public knowledge prior to an advisory being released, and as such, they do not already have assigned CVE names. For these situations, we work with MITRE to reserve the CVE names we need in advance; however, it can then take a short period of time for the CVE names to appear on the CVE website once the issues become public.

Which Red Hat services use CVE names?

We have added CVE names to all Red Hat Security Advisories (RHSA) released since November 2001. These are found on our website, in email notifications sent to our security mailing lists, and also on the Red Hat Network.

Red Hat has audited all security advisories since January 2000 and assigned or created CVE entries where appropriate. Use the per CVE pages to find out information about a given CVE name.

What is Red Hat doing with the CVE project?

We believe that giving our users accurate and complete information about security issues is extremely important. By including CVE names when we discuss security issues in our services and products, we can help users cross-reference vulnerabilities so they spend less time investigating and categorizing security events.

Red Hat has a representative on the CVE Editorial Board and declared CVE compatibility in April 2002.

Miscellaneous

What is the OVAL project?

The Open Vulnerability and Assessment Language (OVAL) project, maintained by The MITRE Corporation, is an international, information security effort that promotes open and publicly available security content and seeks to standardize the transfer of this information across the entire spectrum of security tools and services. Learn more at http://oval.mitre.org/.