Red Hat CNA-LR Operational Guide

Purpose

The purpose of this document is to outline the roles and responsibilities of Red Hat CNA-LR, and the associated process workflow.

A PDF copy of this document, the Red Hat CNA-LR Operational Guide, is available to download.

Last updated: February 19, 2025

Red Hat CNA-LR Responsibilities

MUST follow the CNA Operational Rules as outlined in the Section 2.4 of the CNA Rules and any additional rules specified by the MITRE (Top Level Root (TL-Root)), which includes below activities, but not limited to:

• CVE ID Assignment and publishing within the Red Hat Root’s scope, as part of the MITRE TL-Root hierarchy within the CVE® Program
• For any CVE (when the vulnerability is in software developed by a CNA within the Red Hat Root hierarchy, or there is a CVE Record from a CNA within the Red Hat Root hierarchy) that is being disputed, perform the actions as directed by the Red Hat Root
• Provide/Contribute necessary tooling and data governance support to the Red Hat Root

CVE ID Assignment and publishing

CVE Assignment request for Vulnerabilities within the scope of a CNA under the Red Hat Root

If the Red Hat CNA-LR is contacted by a reporter or requester requesting a CVE ID for a vulnerability, regardless of whether that vulnerability is publicly disclosed or not, Red Hat CNA-LR SHOULD either refer the reporter or requester to or attempt to notify, the appropriate CNA, as outlined in Section 4.3 of the CNA Rules.

Otherwise, the Red Hat CNA-LR MUST NOT engage in any CVE assignment or publication action for the vulnerability in response to that contact (this "otherwise" section applies if the Red Hat CNA-LR knows that the appropriate CNA has already been notified, or if the Red Hat CNA-LR determines that the reporter or requester is not acting in good faith, such as spam about invalid findings).

If the Red Hat Root determines that the CNA has refused to assign a CVE for any reason, the Red Hat Root MAY direct the Red Hat CNA-LR to assign a CVE for that reported vulnerability at the conclusion of the Dispute process. Once notified by the Red Hat Root, the Red Hat CNA-LR should assign a CVE ID within 72 hours. The Red Hat CNA-LR should also publish the CVE Record within 24 hours of assigning the CVE ID.

Ownership of the CVE Record MAY be transferred at the request of the Red Hat Root or MITRE to another entity within the CVE Program. The Red Hat Root MAY define a more specific and stringent timelines and the days of the week, for the Red Hat CNA-LR.

All other CVE Assignment Requests

If the Red Hat CNA-LR is contacted by a reporter or requester requesting a CVE IDfor a vulnerability, regardless of whether that vulnerability is publicly disclosed or not, Red Hat CNA-LR SHOULD either refer the reporter or requester to or attempt to notify, a CNA or TL-Root (specifically: the Red Hat CNA if the vulnerability is in the Red Hat CNA scope, any other CNA if the vulnerability is in software or hardware developed by that CNA; the CISA TL-Root if the vulnerability is in a product of the U.S. civilian government, an industrial control system, or a medical device; or the MITRE TL-Root in other cases).

Otherwise, the Red Hat CNA-LR MUST NOT engage in any CVE assignment or publication action for the vulnerability (this "otherwise" section applies if the Red Hat CNA-LR knows that the CNA or TL-Root has already been notified, or if the Red Hat CNA-LR determines that the reporter or requester is not acting in good faith, such as spam about invalid findings).

Publishing Reserved but Public (RBP) CVE ID

As outlined in Section 4.5.1.4 of CNA Rules, if the Red Hat Root directs the Red Hat CNA-LR to publish a CVE Record for a CVE ID assigned by a CNA, the Red Hat CNA-LR should publish that CVE Record within 24 hours of record being made public. The Red Hat Root MAY define a more specific and stringent timelines and the days of the week, for the Red Hat CNA-LR to take action. Ownership of the CVE Record MAY be transferred at the request of the Red Hat Root or the MITRE TL-Root.

Tooling and Data Governance Support for the Root

Validate completeness of the CVE Record data

The CVE Services facilitates the reservation of CVE IDs and the inclusion of data elements like CVSS, CWE, CPE, and other data into the CVE Record. If the Red Hat Root has a policy that mandates their CNA’s to include any particular data elements, the Red Hat Root MAY task the Red Hat CNA-LR to accordingly perform periodic audits for completeness of CVE Records published by their CNA’s, and submit the report to their Root.

Handle Disputes

As outlined in the CVE Record Dispute Policy, the CNA, Roots, Top-Level Roots (TL-Root), and the Council of Roots (CoR) are responsible for coordinating the dispute and escalation process. As directed by the Red Hat Root or MITRE TL-Root, the Red Hat CNA-LR should perform the necessary CVE Record creation/updates.

The Red Hat Root MAY direct the Red Hat CNA-LR to add a DISPUTED tag and supporting information to the CVE Record, as outlined in the CVE Record Dispute Policy.