Red Hat SummitRed Hat Vulnerability Management Certification Policy Guide
For Use with Red Hat Software Certification
Abstract
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code and documentation. We are beginning with these four terms: master, slave, blacklist, and whitelist. Due to the enormity of this endeavor, these changes will be gradually implemented over upcoming releases. For more details on making our language more inclusive, see our CTO Chris Wright’s message.
Chapter 1. Introduction to Vulnerability Management Certification policies
The Vulnerability Management Certification Policy Guide outlines the technical and operational requirements for certifying third-party security scanning products with Red Hat.
Use this guide to certify your scanning solutions in alignment with Red Hat security best practices in jointly supported customer environments.
1.1. Audience
Red Hat offers Vulnerability Management Certification to commercial security vendors that provide container image vulnerability scanning solutions intended for use with Red Hat platforms.
1.2. Overview of the program
The Red Hat Vulnerability Management Certification Program provides a formal process to verify that partner security solutions correctly use Red Hat-provided security data for Red Hat products. This includes CVE metadata, severity ratings, exploitability information (CSAF-VEX), and remediation advisories (RHSA).
Vulnerability management certification is distinct from Red Hat Container Certification. The Container Certification program focuses on verifying container images for supportability and compliance with Red Hat base image requirements.
Red Hat works directly with partners during the certification process to review scanner behavior, metadata handling, and report formatting. Certified products are listed in the Red Hat Ecosystem Catalog, helping establish technical alignment and assurance within the Red Hat ecosystem.
1.3. Create value for customers
The certification process enables partners to confirm that their vulnerability scanning solutions meet Red Hat standards for accuracy, compatibility, and security when assessing Red Hat-published container images and packages.
Red Hat customers benefit from trusted security tools that are tested and jointly supported by Red Hat and the partner, helping them maintain a secure and compliant container environment.
1.4. Vulnerability report format for certification
To conduct a certification review, submit the vulnerability scan results in a standardized CSV format with the following required fields:
- CVE ID
- Package
- Package version
- RH Severity
- RH CVSS (if reported separately from the CVSS field)
- Link or resource or fix information (Use this field to report RHSA)
In addition, the following fields are optional, but will greatly help with the Certification review :
- Container Name
- Container Version Tag
- PURL
The following example illustrates the recommended CSV format:
| Registry | Repository | Container Tag | Image Digest | CVE ID | Package | Red Hat Severity | Red Hat CVSS | Red Hat RHSA Information | Fix Package Information |
|---|---|---|---|---|---|---|---|---|---|
| registry.access.redhat.com | ubi8/python-27 | 2.7-218 | sha256:ef9b8ef384fbb5faf0985914c40839b5b26cb9dd82740ff1255c12a249143534 | CVE-2023-30630 | dmidecode 3.3-4.el8 | Moderate | 7.1 | RHSA-2023:5252 | dmidecode-3.3-4.el8_8.1 |
Chapter 2. Requirements for Vulnerability Management reports
The Vulnerability Management Certification focuses on scan accuracy and completeness for Red Hat content, including RPMs, RPM modules, non-RPM components, and layered products. Red Hat also encourages the use of the CSAF-VEX for gathering information about the non-RPM content.
The following requirements define technical compliance criteria.
2.1. Red Hat security data usage requirements
You must use Red Hat’s CSAF-VEX (Common Security Advisory Framework – Vulnerability Exploitability eXchange) files as the standard data source for identifying and reporting Red Hat CVEs (Common Vulnerabilities and Exposures). These files ensure accurate and consistent reporting of vulnerabilities that are affected, fixed, or not applicable across Red Hat products.
Success Criteria
- The report uses CSAF-VEX for Red Hat product assessments
- The vulnerability output includes VEX metadata
2.2. Red Hat package identification
To minimize false positives, your security tool must accurately identify Red Hat package versions across RPMs, RPM modules, and non-RPM content, including container-first non-RPM and Maven-based artifacts. Red Hat uses backporting to apply security fixes from newer versions of upstream software packages to older package versions it distributes. When backporting a fix, Red Hat:
- Identifies the specific security fixes and isolates them from unrelated changes
- Ensures the fixes do not introduce unwanted side effects
- Applies the fixes to the appropriate older package version
Basing vulnerability assessments solely on software package version numbers can be misleading. This approach can fail to account for backported security fixes and can result in false positives.
Success Criteria
- The report correctly interprets Red Hat RPM versioning
- The report avoids version-only judgments and accurately recognizes backported fixes
- The report demonstrates a reduced false-positive rate
2.3. Red Hat Severity Ratings
Your scanner must include Red Hat CVE metadata in the default scan reports. This includes both the severity rating and the Common Vulnerability Scoring System (CVSS) base score provided by Red Hat. If your tool displays Red Hat CVE metadata separately from general severity or CVSS fields, it must do so by default, without requiring additional configuration.
Red Hat Product Security assigns severity ratings by using a four-point scale: Low, Moderate, Important, and Critical. It also provides a Common Vulnerability Scoring System (CVSS) base score to offer a more detailed, standardized view of risk. These scores help users prioritize vulnerabilities and make informed decisions about system upgrades based on their specific environments.
For open source software shipped by multiple vendors, the CVSS base scores can vary between vendors depending on several factors, including package versions, compilation methods, platforms, and deployment scenarios. This makes scoring vulnerabilities difficult for third-party vulnerability databases, such as the National Vulnerability Database (NVD), which assigns a single CVSS base score per vulnerability, which might not align with how Red Hat packages and uses the software.
Additional discrepancies can occur based on factors such as compiler flags, hardening techniques, or how you use the software within the product. In some cases, code can be present but not exploitable within Red Hat’s usage context.
Because of these differences, Red Hat strongly recommends using Red Hat-provided severity ratings and CVSS scores instead of relying on third-party sources. As part of the certification requirements, your scanner must display Red Hat’s severity scale and scoring data to ensure users receive accurate and actionable information.
Success Criteria
- The scan report uses Red Hat-provided CVE metadata at the correct product and component level
- The report displays Red Hat’s severity scale (Low, Moderate, Important, Critical)
- The report includes Red Hat’s CVSS base scores alongside severity ratings
2.4. Red Hat Security Advisory Requirements
For any CVE with an available fix from Red Hat, you must accurately identify and report the corresponding Red Hat Security Advisory (RHSA). The RHSA must match the specific vulnerable component and the impacted artifact reported in the scan.
Providing accurate RHSA data ensures that users can locate official Red Hat remediation guidance and apply verified fixes aligned with Red Hat’s supported software lifecycle.
Success Criteria
- The report includes the correct RHSA for each applicable CVE
- The RHSA matches the affected component and artifact as identified in the scan
2.5. Red Hat CVEs exclusion criteria
Your scanner must exclude CVEs that Red Hat has marked as Not affected, Rejected, or Disputed. These vulnerabilities should not appear in the scan results. If your scanner includes them, the report must clearly indicate their status to avoid misinterpretation or false alarms.
Success Criteria
- The scan report does not include CVEs marked as Not affected, Rejected, or Disputed by Red Hat
- If listed, these CVEs are clearly labeled with their correct status
Chapter 3. Recertification
Complete your recertification process annually to be compliant with the Red Hat products or platform.
During the recertification process, you must rescan the latest Red Hat test-harness images and deliver the results by initiating a new certification cycle. You must submit these results within one month of the recertification start date.
After receiving the reports, Red Hat will review and verify the results. The response timeline can vary depending on the number and complexity of issues identified in the scan. Typically, our security engineers provide feedback within one to four weeks. This review period does not count toward the two month grace period and will not result in any delay penalties caused by Red Hat’s internal review process.
Red Hat will publish updated test-harness images annually. You will then have a two months grace period to either begin the recertification process or provide a certification plan and roadmap. If you fail to take action within this time frame, Red Hat will mark the scanner as “date-flagged.”
Chapter 4. Publishing to Red Hat Ecosystem Catalog
After you successfully complete the Certification, Red Hat publishes your product entry to the Red Hat Ecosystem Catalog. This includes your product name and supporting information gathered during the certification process.
Your catalog description must accurately reflect only what Red Hat has tested and certified. You must include the certified software version information with your certification.
If you want to remove your certified product or its listing from the catalog, contact the Red Hat certification team to request its removal.
Appendix A. Glossary
Read to know the key terms and concepts used throughout the guide to ensure clarity and a common understanding of Vulnerability Management processes.
- Backporting
- By using this process Red Hat applies security fixes from newer versions of upstream software packages to older package versions it distributes, without upgrading to the full new version.
- Common Security Advisory Framework – Vulnerability Exploitability eXchange (CSAF-VEX)
- A standardized data format used by Red Hat to communicate the exploitability status of vulnerabilities (CVEs) in its products, such as whether they are affected, fixed, or not applicable.
- Common Vulnerabilities and Exposures (CVE)
- A publicly maintained list of known cybersecurity vulnerabilities and exposures, each assigned a unique identifier (e.g., CVE-2024-12345).
- Common Vulnerability Scoring System (CVSS)
A free and open industry standard used to assess and quantify the severity of cybersecurity vulnerabilities. CVSS assigns a numeric score (typically from 0.0 to 10.0) based on factors such as ease of exploitation, potential impact, and the availability of mitigations. These scores help organizations prioritize which vulnerabilities to address first.
Red Hat provides its own CVSS base scores for vulnerabilities affecting its products, based on Red Hat-specific impact and exploitability assessments.
- CVE Numbering Authority (CNA)
- An organization authorized by the CVE Program to assign CVE identifiers (CVE-IDs) to vulnerabilities and publish related information. CNAs are responsible for identifying and disclosing vulnerabilities within their scope, which can include specific vendors, products, or ecosystems. Red Hat is a CNA and can assign CVEs for vulnerabilities found in its products.
- Certification Case
- A record created in RHCert Connect to track the certification process for a specific product, including test results, documentation, and Red Hat certification team feedback.
- Date-Flagged
- A status assigned to a certified scanner in the Red Hat Ecosystem Catalog if recertification requirements are not met within the specified grace period.
- National Vulnerability Database (NVD)
- The U.S. government repository of standards-based vulnerability management data. It includes information about known vulnerabilities (CVEs), along with severity scores, impact metrics, and references. The NVD uses the Security Content Automation Protocol (SCAP) to support automated security management, compliance, and vulnerability scanning.
- Open Vulnerability and Assessment Language (OVAL)
- An open standard used to describe security advisories and configuration checks, commonly used in Red Hat’s security automation tools.
- Package URL (PURL)
- A standardized way to identify software packages by their type, name, version, and other attributes, providing a universal and unambiguous reference.
- Red Hat Ecosystem Catalog
- The official Red Hat catalog, where certified partner solutions and products are listed.
- Red Hat Security Advisory (RHSA)
- Official advisories published by Red Hat that provide information about security vulnerabilities affecting Red Hat products, including severity and the availability of fixes.
- RPM Package Manager (RPM)
- A free and open source package management system used by Red Hat and other Linux distributions to manage software packages.
- Red Hat Partner Connect
- Red Hat’s partner program provides tools, resources, and support to help organizations build, certify, and market their solutions with Red Hat technologies.
- RHCert Connect
- RHCert Connect is a partner portal used to manage Red Hat certification workflows, including submitting products for certification, uploading test results, and tracking certification status.
- Technology Support Alliance Network (TSANet)
- TSANet is a global, not-for-profit industry association that provides a framework for multi vendor technical support collaboration, enabling companies to work together to resolve customer issues.
- Universal Base Image (UBI)
- A Red Hat-provided container base image that can be freely used and redistributed, with access to certified Red Hat content and support for partners and customers.
- VEX Metadata
- Information provided in a VEX file that describes the exploitability status of a vulnerability in the context of a specific product or environment.
Providing feedback on Red Hat documentation
We appreciate your feedback on our documentation. Let us know how we can improve it.
Submitting feedback through Jira (account required)
- Log in to the Jira website.
- Click Create in the top navigation bar.
- Enter a descriptive title in the Summary field.
- Enter your suggestion for improvement in the Description field. Include links to the relevant parts of the documentation.
- Click Create at the bottom of the dialogue.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}