Within Red Hat’s Coordinated Vulnerability Disclosure (CVD) framework, an embargo is a strictly-defined window of time during which a security vulnerability is known only to a small group of trusted parties before being made public, including the vulnerability reporter and the relevant upstream community and partners.
Why are embargoes necessary?
The primary goal of an embargo is customer protection. If a severe vulnerability is disclosed immediately upon discovery by way of "full disclosure" without an available patch, malicious actors have a window of opportunity to exploit systems while users are defenseless. An embargo provides vendors the necessary time to develop, test, and package a fix, as well as coordinate with the trusted parties mentioned above.
The role of an embargo
An embargo is not about secrecy for secrecy’s sake, it is a temporary, tactical head start for defenders.
- Restricted access: Details are shared only with those essential to fixing the issue.
- Time-boxed: Embargoes are never indefinite. Red Hat advocates for short timelines, typically under 30 days, to encourage fast remediation of issues rather than keeping them private.
- External coordination: Since vulnerabilities are often reported through external channels, such as third-party security researchers, Red Hat also operates within embargo terms set by these parties. We respect the externally-defined parameters to maintain the trust required for a successful coordinated release.
- Coordinated release: The embargo ends on a specific "Coordinated Release Date", where the vulnerability details and the fix are published simultaneously.
Handling leaks
Trust is the currency of an embargo. If information leaks to the public— such as through an upstream bug tracker or social media—prior to the agreed date, the embargo is considered broken. In these cases, Red Hat moves to immediate public disclosure so customers are aware of the risk.
Getting in touch
If you discover a vulnerability or suspect a leak in an existing embargo process, please contact Red Hat Product Security immediately at secalert@redhat.com. We recommend using the Red Hat Product Security GPG key for encrypted communication.
Produktsicherheit bei Red Hat
Über den Autor
Ähnliche Einträge
Chasing the holy grail: Why Red Hat’s Hummingbird project aims for "near zero" CVEs
Elevate your vulnerabiFrom challenge to champion: Elevate your vulnerability management strategy lity management strategy with Red Hat
Data Security And AI | Compiler
Data Security 101 | Compiler
Nach Thema durchsuchen
Automatisierung
Das Neueste zum Thema IT-Automatisierung für Technologien, Teams und Umgebungen
Künstliche Intelligenz
Erfahren Sie das Neueste von den Plattformen, die es Kunden ermöglichen, KI-Workloads beliebig auszuführen
Open Hybrid Cloud
Erfahren Sie, wie wir eine flexiblere Zukunft mit Hybrid Clouds schaffen.
Sicherheit
Erfahren Sie, wie wir Risiken in verschiedenen Umgebungen und Technologien reduzieren
Edge Computing
Erfahren Sie das Neueste von den Plattformen, die die Operations am Edge vereinfachen
Infrastruktur
Erfahren Sie das Neueste von der weltweit führenden Linux-Plattform für Unternehmen
Anwendungen
Entdecken Sie unsere Lösungen für komplexe Herausforderungen bei Anwendungen
Virtualisierung
Erfahren Sie das Neueste über die Virtualisierung von Workloads in Cloud- oder On-Premise-Umgebungen
