Security Data

Red Hat Product Security is committed to providing tools and security data to help security measurement. Part of this commitment is our participation at board level in various projects such as MITRE CVE and OVAL. We also provide reports and metrics, but more importantly, we also provide the raw data below so customers and researchers can produce their own metrics, for their own unique situations, and hold us accountable.

The data resources linked on this page as well as their alternative representations available through the Security Data API are licensed under the Creative Commons Attribution 4.0 International License. If you distribute this content or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original.

CSAF/VEX Documents

The Common Security Advisory Framework (CSAF) standard enables organizations to share information about security issues using a consistent and common format. We provide Red Hat security advisories in CSAF format using the VEX profile as well as per-CVE VEX documents that contains information on both fixed and unfixed products/components.

SBOM Documents

Software Bill of Materials (SBOM) is a complete list of components, their versions, licensing information, provenance, and other metadata for a given product. Red Hat publishes SBOM documents for select products at:

OVAL Definitions

Note: OVAL/DS v1 files are no longer available and have been archived; see OVAL v1 deprecation announcement for more information.

OVAL definitions are available for vulnerabilities that were addressed in errata for Red Hat Enterprise Linux and select additional products. To completely evaluate your system you will need to evaluate it against the streams for all products installed on that system.

Vulnerability Metadata

Repository to CPE Mapping

Used for matching OVAL security data to installed RPMs. Each repository also includes a set of relative URLs from where the content of the repository can be downloaded.


An RSS feed that contains a list of Red Hat security advisories released in the last three days.

CPE Dictionary

CPE is a structured naming scheme for information technology systems, software, and packages. For reference, we provide a dictionary mapping the CPE names we use, to Red Hat product descriptions. Some of these CPE names will be for new products that are not in the official CPE dictionary, and should therefore be treated as temporary CPE names:

Security Data Archive

Security data files that have been retired are available in an archive. Each file is marked with a date (YYYYMMDD) when it was last updated: