Red Hat CNA Vulnerability Disclosure Policy

Updated -

Purpose

The purpose of this policy is to balance the public's need to be informed of security vulnerabilities with vendors' need for time to respond effectively to the security vulnerabilities. The final publication schedule will be based on the best interests of the community overall.

Roles and Responsibilities

  • Red Hat - The Incident Response team (part of the Red Hat Product Security team) is responsible for triaging and analyzing new or potential vulnerabilities affecting Red Hat’s portfolio.
  • Finder - Commonly known as the reporter. These are upstream parties, researchers, and individuals who report a vulnerability to Red Hat. All finder data is aggregated and triaged by Product Security. Finders may also wish to keep vulnerability information embargoed with Red Hat and other vendors until a fix is available. In these circumstances, Red Hat coordinates the embargo and disclosure dates with the finder. Finders are recognized on our public CVE pages for valid flaws in coordination with Red Hat. 
  • Third-Party Coordinators - Red Hat’s collaboration with other industry Incident Response teams through organizations such as FIRST or CERT-CC when there are mutually beneficial security objectives for the community or ecosystem. 

Policy Statement

What. Red Hat Product Security is a designated CVE Numbering Authority (CNA) for the Red Hat portfolio (scope) and the Fedora Project (separate scope). Red Hat Product Security is the authoritative source for assigning CVE IDs within our scope(s) and supplying the description and references to the CVE Program to populate the records within the CVE list. The CVE list feeds the NIST National Vulnerability Database (NVD).

Red Hat welcomes and encourages all potential vulnerability submissions. Red Hat will triage and assess each report against our severity rating for impact. To provide the best customer service and address issues in a timely manner, Finders must provide the following information, if known:

  • The version number of the affected component and/or product.
  • The environment and corresponding product(s) version(s) where the issue was discovered, for example, the operating system's name, version, architecture, or container platform.
  • The steps to reproduce (if reproduced).
  • The ways an attacker could exploit this vulnerability on a system.
  • The immediate impact if an attacker exploits the vulnerability, such as a denial of service, privilege escalation, or remote code execution.

If Red Hat confirms that the reported issue is a vulnerability impacting our products, we will assign a CVE ID regardless of severity. If the vulnerability falls under the scope of another CNA, Red Hat will coordinate with the finder and the identified CNA for that assignment.

Who.  The Red Hat Product Security team can be contacted at secalert@redhat.com - Red Hat Product Security uses an OpenPGP key to secure our email communications. Mail sent to secalert@redhat.com can be encrypted - our PGP public key is listed on our main contact page. Email sent to secalert@redhat.com is read and acknowledged with a non-automated response within three working days. For issues that are complicated and require significant attention, we will open an investigation and provide you with a mechanism to check the status of our progress at any time.

Red Hat Product Security does not discuss potentially private and sensitive embargoed security vulnerabilities in public. Any reproducers or proof of concept code shared with Red Hat is kept private by Red Hat and not publicly disclosed, even after the embargo is lifted. Red Hat acknowledges finders that report vulnerabilities privately and exclusively to the Red Hat Product Security team, subject to the following conditions:

  • If a finder uses a third-party coordinator that gives Red Hat advances notice, we will give acknowledgments to the finder and coordinating party. 
  • The finder, if an individual, agrees to be listed publicly.
  • Finders are not acknowledged if the reported vulnerability was already public.

When.  Red Hat considers a vulnerability ready to be disclosed when one of the following conditions are met:

  • The finder agrees that the issue is public and does not require an embargo. 
    Red Hat normally recommends that a vulnerability severity rated Low or Moderate (according to the Red Hat Product Security Severity Ratings) does not need to be embargoed.
  • When embargoed by a finder or a coordinating party for disclosure, the embargo restrictions are removed as part of a public Coordinated Release Date (CRD).

Red Hat prefers embargo disclosure timelines of less than 45 days. However, Red Hat will respect the wishes of the finder or coordination party for disclosure timelines. Red Hat considers an issue public (and/or embargo breached) in circumstances such as a commit in a public repo that clearly indicates that it is fixing the security vulnerability, or public discussion that the commit is fixing a security vulnerability.

Where.  All vulnerabilities known by Red Hat to affect our products and are ready to be publicly disclosed will be published in the Red Hat CVE Database. Other Red Hat pages and data sources may also contain information about vulnerabilities, but the CVE Database is the authoritative source.

Communities.  Red Hat participates in the community of open source security vendors, researchers, coordinators, and upstream projects. Red Hat acts in the interest of balancing the need for timely disclosure of open source security information and the need to protect the customers of such technologies. Red Hat will share information and work with vendors and projects to resolve sensitive security issues to ensure vulnerabilities are adequately fixed and verified.
 
Red Hat will suggest to the finder to use distros or CERT/CC as third-party coordinators and give guidance when appropriate for large-scale coordination. Both distros and CERT/CC have multiple restrictions and specific disclosure guidance that must be considered for coordinated disclosures.

  • The distro's private mailing list for coordinated disclosure of embargoed vulnerabilities between multiple Linux distros.
  • CERT/CC coordinates disclosure for complex vulnerabilities that impact multiple parties across different industries.

Bug Bounties. Red Hat does not participate in any bug bounty programs.