Red Hat’s involvement in the CVE Program

Since 2002, Red Hat has been a CVE Program partner. Red Hat has played a pivotal role in the CVE program's success so far, as well as being uniquely positioned in the CVE Program, representing the open source community and how the community contributions impact the overall vulnerability ecosystem.

We are designated as a CVE Numbering Authority (CNA), Root, and now a CNA of Last Resort (CNA-LR). For more details, refer to https://www.cve.org/PartnerInformation/ListofPartners/partner/redhat.

This article outlines our different scopes and processes for coordinating with us.

Red Hat as a CNA

CNAs are authorized entities with a specific scope and responsibility to assign CVE IDs regularly and publish corresponding CVE Records. Red Hat operates as a CVE Numbering Authority (CNA) for the following two separate entities:

• Red Hat CNA scope: Vulnerabilities in open source projects affecting Red Hat software that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported Red Hat software.
• Fedora Project CNA scope: Vulnerabilities in open source projects affecting the Fedora Project that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported releases by the Fedora Project.

Our relationship with the CVE Program is key to working and responding efficiently to vulnerabilities. It is also our relationship with the Program that Red Hat brings an Open Source viewpoint for addressing CVE issues and needs.

Reporting a security vulnerability to Red Hat

All security issues and potential or verified security vulnerabilities within the Red Hat and Fedora Project scope should be reported to secalert@redhat.com.

Additional information on reporting security vulnerabilities can be found via Security Contacts and Procedures.
 
Please see the Red Hat CNA Vulnerability Disclosure Policy for details on how Red Hat discloses security vulnerabilities under the Red Hat/Fedora scope.

CVE assignment and publication by Red Hat

Red Hat takes our responsibilities as a CNA seriously and thoroughly triages all security vulnerabilities to determine their validity. If the vulnerability is valid, Red Hat will assign a CVE ID. CVEs are published on our portal as soon as we are aware of the issue.

All vulnerabilities under our purview are published to the Red Hat CVE Database.

Red Hat as a Root

Roots are an administrative function of the CVE Program and are responsible for the recruitment, training, and governance of CNAs under their purview.

Red Hat Root scope: "The Red Hat Root’s scope includes the open source community. Any open-source organizations that prefer Red Hat as their Root; organizations are free to choose another Root if it suits them better."

Red Hat's responsibilities as a Root

• Recruit open source projects to become CNAs.
• Vet and onboard new CNAs.
• Help CNAs establish governance. 
• Make certain CNAs are following CNA rules.
• Make certain CNAs have access to CVE Program infrastructure for CVE ID reservation and record publication.
  • Provide CNA information on automated ID reservation and publication.
• Provide training and support on CVE assessments and scoring and ensure consistency across different CNAs.
• Provide mediation and resolution when conflict arises between CNAs or a CNA and someone disputing a CVE assignment or scope.
• Offer insight, tools, and automation for CVE assignment.

CVE Program Governance

CVE Numbering Authority (CNA) Rules
Red Hat Embargo Policy
Red Hat CNA Vulnerability Disclosure Policy
Red Hat Root CNA Appeals Process
End of Life Assignment Policy
Inactive CNA Policy
CNA Reserved but Public Policy

Excited to join the CVE Program?

You can fill in the CNA Registration form and choose “Red Hat” as your Root.

Alternatively, you can send us an email at Red Hat CNA Operations.
One of our Product Security specialists will reach out and guide you through the process.

Red Hat as a CNA-LR

CNA-LR assigns CVE IDs and publishes corresponding CVE Records within their Root’s scope and as per the instructions provided by their Root or Top Level Root. In simple terms, they are responsible for performing all the technical functions on behalf of their designated Roots.

Red Hat CNA-LR Scope: "Vulnerabilities affecting open source projects that chose Red Hat as their Root and that are not covered by a more specific CNA"

You can find the list of CVE Records assigned and published by Red Hat CNA-LR via - CVE Numbering Authority of Last Resort (CNA-LR).

Learn more about the Red Hat CNA-LR roles & responsibilities in the Red Hat CNA-LR Operational Guide.

How to reach us?

You can reach out to Red Hat’s CNA-LR operations team by sending an email to Red Hat CNA Operations One of our Product Security specialists will reach out and guide you through the process.

Additional information on the CVE Program

See CVE Resources & Support for more information regarding the CVE Program.