Red Hat is now a CVE Numbering Authority of Last Resort in the CVE Program

Since joining the Common Vulnerabilities and Exposures (CVE) Program in 2002, Red Hat has been committed to excellence, growth and innovation in product security. Today, we’re pleased to announce that Red Hat is now a CVE Numbering Authority of Last Resort (CNA-LR), a prestigious recognition of our leadership, expertise and continued commitment to industry advancement. This achievement is a testament to Red Hat’s dedication and a significant success for the entire open source software (OSS) community of which we are proud to be a part.

Red Hat’s role as a CNA remains, with the company being responsible for assigning CVE identifiers to vulnerabilities that affect open source software, particularly those that impact Red Hat’s products and associated upstream projects. Since 2022, Red Hat has served as a Root organization in the CVE Program, onboarding and mentoring open source software projects to succeed within the Program. Check out the blog, “Red Hat extends Common Vulnerabilities and Exposure Program expertise as newly-minted Root organization” for more details. CNA-LR extends this role further, enabling Red Hat to assign CVE IDs and to publish corresponding CVE records within Red Hat Root’s scope for vulnerabilities NOT covered by another CNA.

For example, if the Red Hat Root determines that a CNA within its hierarchy has refused to assign a CVE for any reason, Red Hat, as a CNA-LR, may assign a CVE for that reported vulnerability at the conclusion of the dispute process. You can find all information in the Red Hat CNA-LR Operational Guide.

For over two decades, Red Hat has actively contributed to the goals and initiatives of the CVE Program. Gaining a CNA-LR designation signifies our unwavering dedication and the trust and recognition we have earned within the program. This milestone reflects our relentless pursuit of excellence, strong collaborations and impactful contributions to industry standards and best practices. Additionally, it reinforces the collective strength of the OSS community, whose collaboration and support have been integral to our success.

What this means for you

Achieving CNA-LR status in the CVE Program provides us with new opportunities to help shape the future of our vulnerability ecosystem. With this elevation, we gain access to:

• Greater influence: A stronger voice for the open source software community in the CVE Program
• Stronger collaboration: Enhancing our work with more open source software maintainers and the broader community
• Continued innovation: A platform to drive cutting-edge advancements and thought leadership

A heartfelt thank you

This achievement would not have been possible without the unwavering dedication of our team, the support of our open source community, and the trust of the CVE Program. We extend our deepest gratitude to everyone who has contributed to our journey and helped us reach this significant milestone. We want to thank our open source software community group, whose ongoing support has played a vital role in this success.

What’s next

As we step into this new chapter, we remain committed to driving progress, fostering innovation, and upholding the highest standards of excellence. Our elevation to CNA-LR is an achievement and a stepping stone toward even more outstanding contributions to the industry and open source software community.

Stay tuned for more updates as we continue our journey of leadership and excellence. Thank you for being part of Red Hat’s success story!