Red Hat Security Embargo Policy

An embargoed issue (most commonly associated with vulnerabilities) occurs when confidential details should not be publicly disclosed. The intent with embargoed issues is to minimize unintended risk to customer infrastructure until a fix and further details are ready to be shared publicly. Software vendors affected by an embargoed vulnerability are included in a coordinated disclosure process and a public date is agreed on to allow all vendors time to assess and fix the issue.

Red Hat prefers embargo disclosure timelines of less than 45 days. However, Red Hat will respect the wishes of the finder or coordination party regarding disclosure timelines. Red Hat considers an issue public (and/or embargo breached) in circumstances such as a commit in a public repo that clearly indicates that it is fixing the security vulnerability, or public discussion that the commit is fixing a security vulnerability.

Red Hat treats information received from any party in relation to a non-public vulnerability with strict confidence. Please refer to our disclosure policy for more information. Red Hat and Product Security take the handling of embargoed flaws seriously. Disclosing any information regarding an embargoed vulnerability to the public or an individual not authorized to have the information is considered an embargo breach.