Red Hat Coordinated Vulnerability Disclosure

Updated -

Introduction

Red Hat Product Security believes that everyone, everywhere, is entitled to the open access and quality information needed to mitigate security and privacy risks. We strive to protect communities of customers, contributors, and partners from digital security threats. We believe an open approach to vulnerability management is the best way to achieve this. We adhere to a vulnerability and incident response plan that defines how Common Vulnerabilities and Exposures (CVEs) are identified, remediated, and disclosed.

This policy supports our open approach and is intended to give security researchers clear guidelines for submitting and coordinating discovered vulnerabilities with us. In complying with this policy, you authorize Red Hat to work with you to understand and resolve the issue quickly.

Coordination guidelines

The items on this list are industry best practices in facilitating successful coordination which we strive to follow. Information related to CVE program coordination; including Root and CNA of Last Resort activities can be found in our CVE program guide.

  • Reporters of vulnerabilities and Red Hat should agree on a reasonable amount of time to resolve the issue before a vulnerability is disclosed publicly. This initial coordination helps keep customer and individual data confidential and the general public safe.
  • Active communication and engagement helps ensure that disclosure expectations are met and prioritization is kept.
  • The decision to do multi-vendor coordination must include the reporter and will utilize the VINCE platform.
  • Access and visibility to research and all CVE related data should follow the principle of least privilege by anyone involved.
  • (Red Hat CNA) Non-Disclosure Agreement (NDA) signatures are not required.
  • (Red Hat CNA ) All vulnerabilities within CNA scope will be assigned a CVE.

Scope

This policy applies to all Red Hat products and services and the components which make up those products and services. Research disclosed to Red Hat will be limited to Red Hat associates; however, we will assist in coordinating the disclosure of research with upstream open source communities as needed and requested. Red Hat does not participate in or sponsor a bug bounty program.

Expected response

Initial contact and disclosure

The Red Hat Product Security team can be contacted at secalert@redhat.com. Red Hat Product Security uses an OpenPGP key to secure our email communications. Mail sent to secalert@redhat.com can be encrypted. Our PGP public key is listed on our main contact page. Email sent to secalert@redhat.com is read and acknowledged within one business day and we will work with you to confirm the existence and impact of the vulnerability.

Finders should include the following information in their report, if known:

  • The version number of the affected component and product.
  • The environment and corresponding product(s) version(s) where the issue was discovered, for example, the operating system's name, version, architecture, or container platform.
  • The steps to reproduce, if reproduced.
  • The ways an attacker could exploit the vulnerability on a system.
  • The immediate impact if an attacker exploits the vulnerability, such as a denial of service, privilege escalation, or remote code execution.

What to expect for coordination and public release

After initial disclosure, Red Hat will triage and assess any potential impact on Red Hat components and software. We will determine a severity rating and coordinate the next actions, as appropriate. If the vulnerability is not under embargo, all information and initial scores are published on Red Hat’s CVE pages immediately. Coordination will continue with our engineers, reporter, and upstream to find mitigations for the vulnerability while we all work together to prepare and plan a remediation fix.

We respect any requests for confidentiality; however, we will, by default, correctly attribute findings to the researcher. We do not require an NDA. However, confidential and embargoed reports are treated as TLP:Red until a mutually agreed upon public date is reached. Red Hat prefers embargo disclosure timelines of less than 30 days; however, efforts will be made to keep public dates realistic. Our goal is to maintain open dialogue during the assessment and remediation process.

All vulnerabilities, regardless of the fix status, are disclosed as soon as they are public and known to Red Hat.

Comments