In-Depth
Red Hat Champions New Public Forum for Official Statements on Vulnerabilities
New, transparent way for the software industry to contribute real-time, official statements on vulnerabilities using the National Vulnerability Database
RALEIGH, NC -- September 7, 2006 -- Red Hat today announced a new initiative, implemented by the National Institute of Standards and Technology (NIST), that enables members of the software industry to officially and publicly comment on vulnerabilities. This service is being implemented within the National Vulnerability Database (NVD) at NIST, based on Red Hat's recommendation.
Red Hat approached NIST with the idea of using the NVD to create an official vendor statement service based on the Common Vulnerabilities and Exposures (CVE) naming standard, giving the software industry an open, transparent forum to contribute information about vulnerabilities. Both open-source and proprietary software vendors now have the opportunity to comment on vulnerabilities in their products, and can use the service in a variety of ways, including configuration and remediation guidance, clarifications of vulnerability applicability, deeper vulnerability analysis, disputes of third-party vulnerability information, and explanations of vulnerability impact.
Red Hat will be the first contributor to the service by providing real-time updates to the NVD about how vulnerabilities may or (just as importantly) may not affect Red Hat products. This information resource is critical to the timely dissemination of security information for Red Hat customers and will allow customers to take action quickly if needed. It is also the benefit that customers can expect on a much larger scale when the service is utilized by the software industry as a whole.
"With advancements such as SELinux and Execshield, Red Hat and the open source community continue to build superior security capabilities into the platform that natively protect against malicious use of vulnerabilities, but we are constantly looking for ways to improve and strengthen our security measures. Increasing and enhancing the communication paths and mechanisms for customers to obtain information about vulnerabilities is another way we can help our customers," said Mark J. Cox, security response director at Red Hat. "Through our work with NIST's National Vulnerability Database, we can now provide official statements about vulnerabilities and their potential impact via a widely recognized mechanism, as well as enable the entire software industry to contribute."
"We appreciate Red Hat approaching us with this idea of creating the official vendor statement initiative within the National Vulnerability Database," said Peter Mell, NVD program manager, NIST. "Software vendors have the deepest knowledge about their products and are uniquely positioned to comment on their vulnerabilities. Thanks to Red Hat’s creativity, we are able to provide this service to the software development community as a whole."
As a widely recognized, comprehensive cyber security resource containing all publicly available U.S. government vulnerability information, the NVD can be used by users of both open source and proprietary software. By centralizing and communicating information for vulnerabilities, customers and users will benefit from increased information coming from both the U.S. government and vendors themselves.
To learn more about vendor statements within the NVD, please visit http://nvd.nist.gov. Vendor statements are directly visible from the relevant vulnerability pages. A complete XML feed is updated every two hours at http://nvd.nist.gov/download/vendorstatements.xml. To learn more about Red Hat's security initiatives, solutions, and resources, please visit http://www.redhat.com/security.
About Red Hat, Inc.
Red Hat is leading Linux and open source solutions into the mainstream by making high-quality, low-cost technology accessible. Red Hat provides an operating system platform, Red Hat Enterprise Linux, along with applications, management, and middleware solutions, including JBoss Enterprise Middleware Suite. Red Hat is accelerating the shift to service-oriented architectures and enabling the next generation of Web-enabled applications running on a low-cost, secure open source platform. Red Hat also offers support, training and consulting services to its customers worldwide and through top-tier partnerships. Red Hat's open source strategy offers customers a long term plan for building infrastructures that are based on and leverage open source technologies with a focus on security and ease of management. Learn more: http://www.redhat.com