Chapter 2. Requirements for Vulnerability Management reports

You must use Red Hat’s CSAF-VEX (Common Security Advisory Framework – Vulnerability Exploitability eXchange) files as the standard data source for identifying and reporting Red Hat CVEs (Common Vulnerabilities and Exposures). These files ensure accurate and consistent reporting of vulnerabilities that are affected, fixed, or not applicable across Red Hat products.

To know more about VEX files, see Red Hat VEX files.

To minimize false positives, your security tool must accurately identify Red Hat package versions across RPMs, RPM modules, and non-RPM content, including container-first non-RPM and Maven-based artifacts. Red Hat uses backporting to apply security fixes from newer versions of upstream software packages to older package versions it distributes. When backporting a fix, Red Hat:

Basing vulnerability assessments solely on software package version numbers can be misleading. This approach can fail to account for backported security fixes and can result in false positives.

To know more about backporting, see Red Hat security fixes backporting.

Your scanner must include Red Hat CVE metadata in the default scan reports. This includes both the severity rating and the Common Vulnerability Scoring System (CVSS) base score provided by Red Hat. If your tool displays Red Hat CVE metadata separately from general severity or CVSS fields, it must do so by default, without requiring additional configuration.

Red Hat Product Security assigns severity ratings by using a four-point scale: Low, Moderate, Important, and Critical. It also provides a Common Vulnerability Scoring System (CVSS) base score to offer a more detailed, standardized view of risk. These scores help users prioritize vulnerabilities and make informed decisions about system upgrades based on their specific environments.

For open source software shipped by multiple vendors, the CVSS base scores can vary between vendors depending on several factors, including package versions, compilation methods, platforms, and deployment scenarios. This makes scoring vulnerabilities difficult for third-party vulnerability databases, such as the National Vulnerability Database (NVD), which assigns a single CVSS base score per vulnerability, which might not align with how Red Hat packages and uses the software.

Additional discrepancies can occur based on factors such as compiler flags, hardening techniques, or how you use the software within the product. In some cases, code can be present but not exploitable within Red Hat’s usage context.

Because of these differences, Red Hat strongly recommends using Red Hat-provided severity ratings and CVSS scores instead of relying on third-party sources. As part of the certification requirements, your scanner must display Red Hat’s severity scale and scoring data to ensure users receive accurate and actionable information.

To know more about Rat Hat severity ratings, see Red Hat four-point scale severity ratings.

For any CVE with an available fix from Red Hat, you must accurately identify and report the corresponding Red Hat Security Advisory (RHSA). The RHSA must match the specific vulnerable component and the impacted artifact reported in the scan.

Providing accurate RHSA data ensures that users can locate official Red Hat remediation guidance and apply verified fixes aligned with Red Hat’s supported software lifecycle.

Your scanner must exclude CVEs that Red Hat has marked as Not affected, Rejected, or Disputed. These vulnerabilities should not appear in the scan results. If your scanner includes them, the report must clearly indicate their status to avoid misinterpretation or false alarms.