Appendix A. Glossary

Backporting

By using this process Red Hat applies security fixes from newer versions of upstream software packages to older package versions it distributes, without upgrading to the full new version.

Common Security Advisory Framework – Vulnerability Exploitability eXchange (CSAF-VEX)

A standardized data format used by Red Hat to communicate the exploitability status of vulnerabilities (CVEs) in its products, such as whether they are affected, fixed, or not applicable.

Common Vulnerabilities and Exposures (CVE)

A publicly maintained list of known cybersecurity vulnerabilities and exposures, each assigned a unique identifier (e.g., CVE-2024-12345).

Common Vulnerability Scoring System (CVSS)

A free and open industry standard used to assess and quantify the severity of cybersecurity vulnerabilities. CVSS assigns a numeric score (typically from 0.0 to 10.0) based on factors such as ease of exploitation, potential impact, and the availability of mitigations. These scores help organizations prioritize which vulnerabilities to address first.

CVE Numbering Authority (CNA)

An organization authorized by the CVE Program to assign CVE identifiers (CVE-IDs) to vulnerabilities and publish related information. CNAs are responsible for identifying and disclosing vulnerabilities within their scope, which can include specific vendors, products, or ecosystems. Red Hat is a CNA and can assign CVEs for vulnerabilities found in its products.

Certification Case

A record created in RHCert Connect to track the certification process for a specific product, including test results, documentation, and Red Hat certification team feedback.

Date-Flagged

A status assigned to a certified scanner in the Red Hat Ecosystem Catalog if recertification requirements are not met within the specified grace period.

National Vulnerability Database (NVD)

The U.S. government repository of standards-based vulnerability management data. It includes information about known vulnerabilities (CVEs), along with severity scores, impact metrics, and references. The NVD uses the Security Content Automation Protocol (SCAP) to support automated security management, compliance, and vulnerability scanning.

Open Vulnerability and Assessment Language (OVAL)

An open standard used to describe security advisories and configuration checks, commonly used in Red Hat’s security automation tools.

Package URL (PURL)

A standardized way to identify software packages by their type, name, version, and other attributes, providing a universal and unambiguous reference.

Red Hat Ecosystem Catalog

The official Red Hat catalog, where certified partner solutions and products are listed.

Red Hat Security Advisory (RHSA)

Official advisories published by Red Hat that provide information about security vulnerabilities affecting Red Hat products, including severity and the availability of fixes.

RPM Package Manager (RPM)

A free and open source package management system used by Red Hat and other Linux distributions to manage software packages.

Red Hat Partner Connect

Red Hat’s partner program provides tools, resources, and support to help organizations build, certify, and market their solutions with Red Hat technologies.

RHCert Connect

RHCert Connect is a partner portal used to manage Red Hat certification workflows, including submitting products for certification, uploading test results, and tracking certification status.

Technology Support Alliance Network (TSANet)

TSANet is a global, not-for-profit industry association that provides a framework for multi vendor technical support collaboration, enabling companies to work together to resolve customer issues.

Universal Base Image (UBI)

A Red Hat-provided container base image that can be freely used and redistributed, with access to certified Red Hat content and support for partners and customers.

VEX Metadata

Information provided in a VEX file that describes the exploitability status of a vulnerability in the context of a specific product or environment.