Security Response Team
The Red Hat Security Response Team makes sure that security issues found in Red Hat products and services are addressed.
Our mission is to:
- Be the point of contact for customers, users, and researchers who have found security issues in our products and services, and to publish the procedures for dealing with this contact.
- Track alerts and security issues in the community that may affect users of Red Hat products and services.
- Investigate and address security issues in our supported products and services.
- Ensure timely security fixes for our supported products and services.
- Ensure that customers can easily find, obtain, and understand security advisories and updates.
- Help customers keep their systems updated, to minimize the risk of security issues.
- Work with other vendors of Linux and open source software (including our competitors) to reduce the risk of security issues through information sharing and peer review.
Refer to the Security Contacts and Procedures page for information on how to report a security issue in a Red Hat product or service.
Standards of Service
The Red Hat Security Response Team:
- Reads and responds (non-automated) to all email communication within three working days.
- Keeps you informed. If the issue you tell us about is complicated and requires greater attention from our technical staff, we contact you to explain this and when to expect a more detailed response. If prolonged investigations are necessary, we keep you informed of our progress at least every five working days, or alternatively, provide you with a mechanism to check the status of our progress at any time.
- Works with you to identify other organizations, such as other open source software vendors, that you may wish to also contact about the issue.
- Directs all customers without security-related inquiries to more appropriate contact points.
Treating Your Communication in Confidence
We want you to feel you can share information about security issues with us in confidence. If the information you share with us is not already public knowledge, we will:
- Keep the information you share with the Security Response Team confidential within Red Hat, unless you have agreed otherwise.
- Give you a mechanism to communicate with us over a secure channel.
- Not share the information you send to us with any third-parties (including CERT, MITRE, or our partners and customers) without your agreement.
- Expect you to treat communication from us in the same way, and to inform us if you communicate details of the issue to any other party.
How We Address Security Flaws
The Red Hat Security Response Team follows an internal process for dealing with security issues known to us. We investigate and verify the issue, analyze which products are affected, determine the impact, and determine the remedial action that needs to be taken.
In the cases where a security update needs to be produced, we work to ensure the fix causes minimal side effects. We also work with you to determine an appropriate public notification date.
Dealing with Complaints
The policies on this page allow you to hold us accountable for our performance. We would like to hear from you if you have any feedback on our standards of service and performance. Contact the Security Response Team first, and if you feel your comment or complaint is not handled in a satisfactory manner, please contact the customer service manager at email@example.com.
Notifications and Advisories
Refer to the Notifications and Advisories page for information on how to be notified about new security advisories, policies on advance notification, and where to find official statements for vulnerabilities under investigation or those that do not affect Red Hat.