Red Hat Unveils CVE Security Compatibility


United States, April 10, 2002

Red Hat Joins Editorial Board of MITRE Common Vulnerabilities and Exposures Project; Works with Industry Leaders to Improve Accuracy in Security Reporting

Red Hat, Inc. (Nasdaq:RHAT) today announced that security alerts and advisories, including updates issued through the Red Hat Network, will now use Common Vulnerabilities and Exposures (CVE) standard names.

The CVE project, maintained by the MITRE Corporation, is a list of standardized names for vulnerabilities and security exposures. The common list makes it easier to share data across a broad group of technologies, and can improve the accuracy of alerts and updates that correct potential security issues. In January, the National Institute of Standards and Technology (NIST) issued a draft recommendation that government organizations adopt CVE standard solutions throughout their security infrastructure.

"One of the greatest strengths of open source development is the ability to harness the efforts of millions of programmers, users and vendors across the industry to quickly change software, including fixing vulnerabilities," said Mark Cox, senior director of engineering at Red Hat. "The CVE dictionary delivers a common language, enabling our customers to spend less time investigating and categorizing security events, reducing risk and any associated impact."

"The growing acceptance of CVE within the open source community is an important development," said MITRE's Steve Christey, who heads up the CVE Editorial Board and is editor of the CVE List. "We hope that Red Hat's commitment to CVE will encourage other open source vendors to become more actively engaged in this initiative. We formally welcome Mark to our CVE Board, and at the same time we appreciate the significant contributions he has made over the last five months."

Red Hat's Mark Cox Named to Editorial Board
Red Hat also announced today that Mark Cox has become the first employee of an open source vendor to join the CVE Editorial Board, whose members collaborate to determine the content of the list. The Board includes representatives from top vendors, academic institutions, government agencies, and prominent security experts. Prior to his appointment, Cox had worked as a liaison with the project since November, 2001.

"We are working with MITRE and the rest of the CVE Editorial Board to contribute and validate new entries that affect Linux and open source projects, as well as publish CVE entries in our security advisories," said Red Hat's Cox. "It is essential that security vulnerabilities get reported accurately so that affected users can make informed decisions."

For more information on the CVE project, please visit

About Red Hat, Inc.

Red Hat, the world's leading open source and Linux provider, is headquartered in Raleigh, NC with satellite offices spanning the globe. Red Hat is leading Linux and open source solutions into the mainstream by making high quality, low cost technology accessible. Red Hat provides operating system software along with middleware, applications and management solutions. Red Hat also offers support, training and consulting services to its customers worldwide and through top-tier partnerships. Red Hat's open source strategy offers customers a long term plan for building infrastructures that are based on and leverage open source technologies with focus on security and ease of management. Learn more:

Forward-Looking Statements

Forward-looking statements in this press release are made pursuant to the safe harbor provisions of Section 21E of the Securities Exchange Act of 1934. Investors are cautioned that statements in this press release that are not strictly historical statements, including, without limitation, management's plans and objectives for future operations, and management's assessment of market factors, constitute forward-looking statements which involve risks and uncertainties. These risks and uncertainties include, without limitation, reliance upon strategic relationships, management of growth, the possibility of undetected software errors, the risks of economic downturns generally, and in Red Hat's industry specifically, the risks associated with competition and competitive pricing pressures, the viability of the Internet, and other risks detailed in Red Hat's filings with the Securities and Exchange Commission, copies of which may be accessed through the SEC's Web site at

LINUX is a trademark of Linus Torvalds. RED HAT is a registered trademark of Red Hat, Inc. All other names and trademarks are the property of their respective owners.