When it comes to identifying potential security vulnerabilities in software, the technology industry has relied upon the Common Vulnerabilities and Exposure (CVE) system for more than two decades. Red Hat is a long-time contributor to this program, first helping the CVE system to work with the open source community and, more recently, serving as a CVE Naming Authority (CNA). Today, we’re pleased to further extend our leadership in identifying and addressing potential vulnerabilities in the open source world as a Root within the CVE Program.
As a CNA, Red Hat remains responsible for assigning CVE identifiers to vulnerabilities that affect open source software, particularly those that impact Red Hat’s products and associated upstream projects. Additionally, Red Hat continues to have a well-established user base and regularly publishes security information that is consulted by researchers and vendors.
By becoming a Root, Red Hat will lean on its expertise and experience in identifying and analyzing CVEs to help guide and manage CNAs. Within the CVE program, Roots recruit, train and provide governance for their CNAs, effectively “building a bench” of organizations that can further assess and identify potential CVEs. Red Hat will serve as a mentoring organization for other entities, providing further expansion of the CVE program as the need to address potential software vulnerabilities continues to grow.
It’s imperative that potential vulnerabilities be identified, defined, publicly disclosed and mitigated in open source technologies, especially as adoption of this software becomes foundational to a wide range of critical systems globally. We’re very pleased to help share our comprehensive knowledge and expertise around this necessity to the broader open source community as a Root, providing an opportunity for more organizations and communities to expand their knowledge and create a stronger, more transparent software supply chain.
About the author
Pete Allor is the Director for Red Hat Product Security covering the full Red Hat portfolio. He is active in various industry security forums for incident response reporting and secure development, such as NIST and CISA industry calls for input as well as FIRST (first.org), CVE and ISO / ITU / OASIS standards on security.