Frequently Asked Questions

(1) What is being announced?

Red Hat Partner Connect program is announcing Red Hat Vulnerability Scanner Certification - a collaboration with security partners to deliver more accurate and more reliable container vulnerability scanning results of Red Hat-published images and packages. Security partners can now consume and defer to Red Hat’s extensive and evolving set of published security data to save customers time and by minimizing false positives and other discrepancies.

(2) What is the leadership role that Red Hat is taking?

Red Hat has been transparently publishing CVE data since 2006, but customers are still seeing false positives and other discrepancies when they obtain vulnerability scanning reports from their respective security management providers.

With this certification, Red Hat has taken a leadership role by 1) formally collaborating with our security partners, 2) simplifying the use of Red Hat published CVE data and standardizing on OVAL v2 and 3) simplifying a customers’ vulnerability management effort with fewer false positives.

(3) What does it mean to be a certified Vulnerability Scanner partner?

Certified security partners will be able to deliver vulnerability scanning reports that incorporate Red Hat-published security data, recommended by Red Hat Product Security, in a standardized fashion. Security partners that are not certified will continue as they have been operating and will continue to make their own determination as to which Red Hat security data to incorporate.

(4) Can any partner apply for this certification?

No, this certification is only for security partners that have a vulnerability scanning solution.

(5) How can a partner join this Vulnerability Scanner certification?

By sending an email to certification team at [email protected].

(6) Where can someone learn more about Vulnerability Scanner certification?

Visit the Red Hat product page.

(7) Where do I find the list of partners that have joined after the announcement?

Visit the Red Hat Ecosystem Catalog page.

(8) Is there something that further describes the problem statement?

Yes. See Dave Meurer’s “Shakespearean” article.

(9) Will this certification cover scanning of RPM packages that are not in a container?

No. The current scope of this certification is for Red Hat packages that are in a container only (whether that container image is Red Hat-developed or non-Red Hat-developed).

(10) What enhancements can customers expect when they use a certified scanner solution?

Certified scanner solutions will display Red Hat Severity Impact Rating [Critical, Important, Moderate and Low] for each CVE as determined by Red Hat Product Security, and based on the specific Red Hat product-version that package belongs to.

Certified scanners will be able to display CVEs for which Red Hat already has a fix (RHSA) for as well as those CVEs which Red Hat has yet to provide a fix for.

(11) What happens if I still find discrepancies with a certified scanner partner?

Discrepancies still may occur, but we believe there will be significantly fewer with certified partners. We have also integrated support processes with certified partners, so when discrepancies happen with Red Hat managed packages in containers, you are welcome to contact Red Hat Support.