Security Contacts and Procedures

Red Hat takes security very seriously, and we aim to take immediate action to address serious security-related problems that involve our products or services.

Please report any suspected security vulnerability in a Red Hat product or service to Red Hat Product Security at secalert@redhat.com. You can use our GPG key to communicate with us securely.

To report an issue in any Red Hat branded website or online service, please contact Red Hat Information Security at site-security@redhat.com.

When to contact Red Hat Product Security

You should contact Red Hat Product Security if:

  • You think there might be a security vulnerability in a Red Hat product or service.
  • You want to provide feedback about our standards of service and performance. If you feel your security concern is not dealt with in a satisfactory manner, please contact secalert@redhat.com.

In all other cases, you should contact Red Hat Customer Experience & Engagement.

You should contact Red Hat Customer Experience & Engagement if:

  • You are unsure about how a known vulnerability affects a Red Hat product or service.
  • You wish to report an issue in a language other than English.
  • You require technical assistance for a security function (for example, "How do I configure my firewall?").
  • You need help upgrading packages due to security alerts. (Refer to "How do I apply package updates from the Red Hat Network?" for information on upgrading packages.)
  • Your issue is not security related.

In any of these cases, please contact Red Hat Customer Experience & Engagement instead.

Who reads email sent to secalert@redhat.com?

Only members of Red Hat Product Security, a restricted and carefully chosen group of Red Hat employees, will have access to material sent to the secalert@redhat.com address. No outside users can subscribe to this list.

Reporting security vulnerabilities in Red Hat Offerings

Red Hat Product Security welcomes and encourages all potential vulnerability submissions. For us to provide the best customer service and address issues in a timely manner, please provide the following information, if known:

  • The version number of the affected component, such as the rpm package, container image, and java component.
  • The environment and corresponding version(s) where the issue was discovered, for example, the operating system's name, version, architecture, or container platform.
  • The steps to reproduce, if available.
  • The ways an attacker could exploit this vulnerability on a system.
  • Is the vulnerability already known to the public? If not, when is the planned date for disclosure?
  • The immediate impact if an attacker exploits the vulnerability, such as a denial of service, privilege escalation, or remote code execution.

How to contact us securely

Red Hat Product Security uses an OpenPGP key to secure our email communications. Mail sent to secalert@redhat.com can be encrypted with this public key. We expect to change the key we use from time to time. Should we change the key, the previous keys will be revoked, and the rhsa-announce mailing list will be notified of the change.

DCE3823597F5EAC4: Red Hat, Inc. (Product Security)

This key is used for communicating securely with Red Hat Product Security and for signing the security advisories posted to mailing lists.

Download: Red Hat
Fingerprint: 77E7 9ABE 9367 3533 ED09 EBE2 DCE3 8235 97F5 EAC4

Please do not send messages encrypted with this public key to any address other than security@redhat.com and secalert@redhat.com. We are unable to accept any non–security-related email that is encrypted with this public key.

How we respond

Email sent to secalert@redhat.com is read and acknowledged with a non-automated response within three working days. For issues that are complicated and require significant attention, we will open an investigation and will provide you with a mechanism to check the status of our progress at any time.

Any information you share with us about security issues that are not public knowledge is kept confidential within Red Hat. It is not passed on to any third party without your permission.

Notifications

Red Hat does not provide an advance notification service. Security advisories are available from Red Hat Product Security and via the Red Hat Customer Portal.

Common Criteria Timely Updates

Refer to the Life Cycle Security Update Policy for information on Red Hat's security update policy as well as information on embargoed (undisclosed) vulnerability handling.

Resources include the following:

Red Hat Security Updates (Advisories)

Red Hat CVE Database

Red Hat Common Vulnerabilities and Exposure (CVE) Program

Coordinated Vulnerability Disclosure (CVD)

Red Hat engages with partners, vendors, researchers, and community coordinators to disclose newly discovered vulnerabilities in hardware, software, and services. Multi-party coordination is a complex process, and understanding the parties' vulnerability disclosure policies, vulnerability handling policies, and contractual agreements opens the way to trusted communication and collaboration. Increasing transparency between parties assures that vendors can understand and manage the risk imposed by the vulnerability and facilitate engagements with other parties. The aim of CVD is to provide timely and consistent guidance to parties and customers to help them protect themselves.

Please see the Red Hat CNA Vulnerability Disclosure Policy for details on how Red Hat discloses security vulnerabilities under the Red Hat/Fedora scope.

For more information on CVD, please review the information provided in the following links:

Guidelines and Practices for Multi-Party Vulnerability Coordination and Disclosure

The CERT Guide to Vulnerability Disclosure

PSIRT Services Framework