Red Hat Common Vulnerabilities and Exposure (CVE) Program

Updated -

Red Hat’s involvement in the CVE Program

For over 20 years, Red Hat has operated as a CVE Numbering Authorities (CNA) as two separate CNAs:

  • Red Hat CNA scope: Vulnerabilities in open source projects affecting Red Hat offerings that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported Red Hat offerings.
  • Fedora Project CNA scope: Vulnerabilities in open source projects affecting the Fedora Project that are not covered by a more specific CNA. CVEs can be assigned to vulnerabilities affecting end-of-life or unsupported releases by the Fedora Project.

Our relationship with MITRE and the CVE Program is key to our ability to work and respond efficiently to vulnerabilities.

Reporting a security vulnerability to Red Hat

All security issues (potential or verified security vulnerabilities) within the Red Hat and Fedora Project scope should be reported via secalert@redhat.com.

Additional information on reporting security vulnerabilities can be found via Security Contacts and Procedures.
 
Please see the Red Hat CNA Vulnerability Disclosure Policy for details on how Red Hat discloses security vulnerabilities under the Red Hat/Fedora scope.

CVE assignment and publication by Red Hat

Red Hat takes our CNA responsibilities seriously and thoroughly triages all security vulnerabilities to determine their validity. If the vulnerability is valid, Red Hat will request a CVE ID through the CVE Program. 

All vulnerabilities under our purview are published to the Red Hat CVE Database.

Red Hat as a Root

Roots are an administrative function of the CVE Program and manage CNAs under their purview. As a Root, Red Hat will have CNAs reporting to us through the CVE Program.

Red Hat Root scope: "Any open-source organizations that chose Red Hat as their Root; organizations are free to choose another Root if it suits them better."

Red Hat's responsibilities as a Root

  • Recruit open source projects to become CNAs.
  • Vet and onboard new CNAs.
  • Help CNAs establish governance. 
  • Ensure CNAs are following CNA rules.
  • Ensure CNAs have access to CVE Program infrastructure for CVE ID reservation and record publication.
    • Provide CNA information on automated ID reservation and publication.
  • Provide training and support on CVE assessments and scoring and ensure consistency across different CNAs.
  • Provide mediation and resolution when conflict arises between CNAs or a CNA and someone disputing a CVE assignment or scope.
  • Offer insight, tools, and automation for CVE assignment.

CVE Program Governance

CVE Numbering Authority (CNA) Rules
Red Hat Embargo Policy
Red Hat CNA Vulnerability Disclosure Policy
Red Hat Root CNA Appeals Process
End of Life Assignment Policy
Inactive CNA Policy
CNA Reserved but Public Policy

Interested in becoming a CNA?

If you have any questions or are interested in becoming a CNA, contact Red Hat CNA Operations.
 
Ready to become a CNA? Please submit your request, and Red Hat will be in touch to discuss onboarding.

Additional information on the CVE Program

See CVE Resources & Support for more information on the CVE Program.

Comments