Red Hat Root CNA Appeals Process

Updated -

Appeals Process

As a Root, Red Hat must appropriately handle any and all issues escalated by and about CNAs within our scope.
If a party contends that a CNA under Red Hat’s Root Scope is not in compliance with MITRE’s CNA Rules, the party may contact Red Hat about the issue. Potential reasons for noncompliance may be:

  1. Not responding in a timely manner, 
  2. Refusing to assign a CVE ID to a vulnerability, 
  3. Not populating a CVE Record in a timely manner, or 
  4. Inappropriately sanctioning a CNA.

Red Hat will then determine whether the report is accurate and take necessary actions. 

As a Root, Red Hat must:

  • Act as an escalation and adjudication point for issue resolution for its CNAs.
  • Address CVE assignment issues from its CNAs that require escalation.
  • Clearly document the dispute in the CVE Record if the Root assigns a CVE ID as the result of an escalated issue.
  • Provide documentation on how issues with a CNA can be escalated to the Root.
  • Maintain a public contact method so issues involving its CNAs may escalate.
  • Be responsive to escalation requests.

If the party disagrees with Red Hat’s determination, the party will:

  • Seek to appeal a decision made by Red Hat or resolve a disagreement between Roots by contacting the Top-Level Root, MITRE, at https://cveform.mitre.org/.
  • MITRE will set expectations for when a timely resolution may be available. Appeals of time-sensitive issues are prioritized, as determined by MITRE.
  • MITRE contacts the appropriate entities to collect information relevant to the issue. The CNAs involved in the dispute provide documentation per the rules established in this document. MITRE may also engage the Board for their consideration of the issue.
  • MITRE communicates its decision to all relevant parties once the disagreement or appeal has been fully considered. This result is final.

Comments