Guest author Yogesh Mittal is a Manager at Red Hat Product Security, and Red Hat is a long-time CVE Numbering Authority (CNA) and now a Root.

Open source software is software with source code that anyone can inspect, copy, modify, share, enhance, and learn from. On the other hand, there is “proprietary” or “closed source” software that has source code that only the person, team, or organization who created it can modify; the originators maintain exclusive control over it.

When we talk about “open source software,” there are two terms that are commonly used across the industry: upstream and downstream. Within information technology, these terms refer to the flow of data. “Upstream” in open source is the source repository and project where contributions happen, and releases are made. Contributions flow from upstream to downstream.

One of the best examples is the Linux kernel, which is an upstream project for many Linux distributions. Distributors like Red Hat take the unmodified kernel source and add patches and opinionated configuration to build the kernel with the options that they want to offer their users. The source code that the distributors maintain, and release, is often referred to as “downstream.”

CVE Records for Open-Source Software

CNAs are organizations that are authorized to reserve CVE IDs and publish CVE Records for vulnerabilities within their scope. For the CVE Program to be successful, one critical requirement is that there needs to be one CVE Record for each vulnerability in the catalog, regardless of the source code being open source or proprietary. The CVE Program is structured to help upstream communities assign the CVE ID for their code, which is then shared and referred to by downstream entities. Many open source projects and organizations are Red Hat partners who discover, assign, and publish the vulnerabilities independently. Some open source projects prefer to get assistance from expert organizations for CNA activities, specifically assigning and publishing CVEs. The success and inclusion of these open source projects in the CNA program are critical for the overall program. Organizations like Red Hat have been extending their support to these open source projects that request assistance, assigning and publishing CVE Records that are not covered by a specific CNA.

Red Hat and the CVE Program

Red Hat has partnered with the CVE Program as a CNA since 2002. While the CVE Program has matured, expanded, and continues to grow, Red Hat is one of the major contributors to the program so far. Red Hatters are passionate and actively involved in various special working groups in the CVE Program. One example worth mentioning is the popular “cvelib” Python library and command line interface for the CVE Services API, which is developed and maintained by Red Hatters.

In September 2022, in recognition of Red Hat’s reputation and support to the open source community and as a CNA, the CVE Program designated Red Hat as a Root organization for open source organizations and projects. Red Hat is now the fifth Root in the CVE Program.

Beyond its contribution to the success of open source projects in the CNA program, Red Hat always extends its support to the wider community. Below are a few examples:

• Red Hat has published a large number of articles, blogs, and other resources that describe different facets of how we handle security vulnerabilities in our products.
• Red Hat Product Security released a public version of its Incident Response Plan (IRP). This IRP outlines the orchestration process any organization can use to coordinate a response to all security vulnerabilities reported or discovered within their offerings.
• Red Hat also published a document that describes the current state of their vulnerability management process. This document is kept updated to reflect the evolution of this process. Red Hat follows the open source philosophy of continuous improvement, and that includes efforts to improve how they address vulnerabilities and share that publicly.

Red Hat is pleased to extend our support to the success of open source organizations, both as a CNA and as a Root, and to help the MITRE Top-Level Root distribute the responsibilities for open source software vulnerability disclosure, contributing to the overall success of the CNA program.

If you are interested in your open source project or organization becoming a CNA, or working with Red Hat to help you manage your CVEs, please contact us at RootCNA-Coordination@redhat.com to begin the discussion.