Understanding Red Hat’s Product Security Incident Response Plan

Red Hat is committed to delivering secure, hardened, open source solutions for enterprises to employ across platforms and environments, from the core datacenter to the network edge. By operating transparently and responsibly, we continue to be a catalyst in open source communities, helping our customers build flexible, powerful IT infrastructure solutions.

Our Product Security team guides our product teams in building our solutions backed by secure development practices and industry standards. The final phase of the secure development process focuses on incident response and the necessary steps Red Hat must take to remediate our products and supported services. As vulnerabilities are publicly posted and identified, Red Hat’ Product Security Incident Response Team (PSIRT) quickly assesses and remediates these vulnerabilities to ensure our products are secured for our customers, their platforms and ecosystems.

We also decided that we would live true to our open source ethos and obtain feedback from the community. As a result, we have published a template for industry use and consideration. This document is the first public, open source Product Security Incident Response Plan created, and we look forward to collaborating with industry partners to improve our security processes.

The PSIRT is the executive agent in coordinating vulnerability responses across all of the Red Hat portfolio and follows the Red Hat Product Security Incident Response Plan (IRP). This plan alerts key internal stakeholders and assists directing the required resources to be allocated for the correction, testing, and distribution of the fixes to our subscribers to resolve the vulnerability.

The IRP proactively prepares Red Hat via Product Security to effectively handle security incidents related to product and services produced by Red Hat through four phases:

1. Notification & Triage
2. Assessment & Coordination
3. Remediation & Release
4. Recovery & Close

Red Hat Product Security can properly manage security issues in a timely manner as they relate to Red Hat Products and services by following these four phases. This process allows for successful delivery and timely information to our customers, partners, and other stakeholders. The IRP details the “what, where, who, why, and how” of Red Hat’s response - irrespective of the severity of the security vulnerability.

Red Hat Product Security reviews security vulnerabilities discovered or reported to us that affect projects and packages used by Red Hat products or services. Occasionally security flaws are recognized to be of great concern, or will generate significant media attention. These issues might be branded (with a name, logo, website), may be actively used in exploits "in the wild", or be a severe problem in core packages or operations of our products.

The Incident Response plan also helps ensure that Red Hat associates are aware of, and can assist in spreading awareness around, the facts of the vulnerability. The goal of the plan is not only the speedy delivery of patches, but also to provide clear, accurate information about the real level of risk a particular issue brings, so that when the public is made aware of the problem, the impact can calmly be assessed and thoughtful plans can be executed to mitigate and remediate the issue.

This plan delivers a clear process flow and assigned responsibilities around the remediation and status of the issue. These treatments and diagnostic information are tracked through the Vulnerability Response Center on the Red Hat Customer Portal. Here, full details around the vulnerability can be clearly seen, details about severity scoring, and CVE information can be accessed from this one central location. Quick links to security advisories are also provided.

Along with the notifications and patches, Red Hat Product Security will provide mitigations as available, detection scripts that subscribers can download and use within their own environments, and Ansible Playbooks that can be leveraged to discover and oftentimes remediate vulnerabilities.

As the fixes are provided, Red Hat Product Security uses an array of communications channels to provide information in the format readers desire (traditional knowledgebase articles, email alerts, social media alerts, etc.). Red Hat Insights subscribers will be instantly alerted of the issue, the exact scope of where the customer is vulnerable, and will often have remediation options provided for them.