Frequently Asked Questions

(1) What is being announced?

Red Hat Partner Connect program is announcing Red Hat Vulnerability Scanner Certification - a collaboration with security partners to deliver more accurate and more reliable container vulnerability scanning results of Red Hat-published images and packages. Security partners can now consume and defer to Red Hat’s extensive and evolving set of published security data to save customers time and by minimizing false positives and other discrepancies.

(2) What is the leadership role that Red Hat is taking?

Red Hat has been transparently publishing CVE data since 2006, but customers are still seeing false positives and other discrepancies when they obtain vulnerability scanning reports from their respective security management providers.

With this certification, Red Hat has taken a leadership role by 1) formally collaborating with our security partners, 2) simplifying the use of Red Hat published CVE data and standardizing on OVAL v2 and 3) simplifying a customers’ vulnerability management effort with fewer false positives.

(3) What does it mean to be a certified Vulnerability Scanner partner?

Certified security partners will be able to deliver vulnerability scanning reports that incorporate Red Hat-published security data, recommended by Red Hat Product Security, in a standardized fashion. Security partners that are not certified will continue as they have been operating and will continue to make their own determination as to which Red Hat security data to incorporate.

(4) Can any partner apply for this certification?

No, this certification is only for security partners that have a vulnerability scanning solution.

(5) How can a partner join this Vulnerability Scanner certification?

By contacting us through the Technology Partner Success Desk :

  • Click on the button Create Case

  • Choose Product certification in Category

  • Select the option Red Hat Vulnerability Scanner Certification

(6) Where can someone learn more about Vulnerability Scanner certification?

Visit the Red Hat product page.

(7) Where do I find the list of partners that have joined after the announcement?

Visit the Red Hat Ecosystem Catalog page.

(8) Is there something that further describes the problem statement?

Yes. See Dave Meurer’s “Shakespearean” article.

(9) Will this certification cover scanning of RPM packages that are not in a container?

No. The current scope of this certification is for Red Hat packages that are in a container only (whether that container image is Red Hat-developed or non-Red Hat-developed).

(10) What enhancements can customers expect when they use a certified scanner solution?

Certified scanner solutions will display Red Hat Severity Impact Rating [Critical, Important, Moderate and Low] for each CVE as determined by Red Hat Product Security, and based on the specific Red Hat product-version that package belongs to.

Certified scanners will be able to display CVEs for which Red Hat already has a fix (RHSA) for as well as those CVEs which Red Hat has yet to provide a fix for.

(11) What happens if I still find discrepancies with a certified scanner partner?

Discrepancies still may occur, but we believe there will be significantly fewer with certified partners. We have also integrated support processes with certified partners, so when discrepancies happen with Red Hat managed packages in containers, you are welcome to contact Red Hat Support.

(12) When should Partners expect a feedback from Red Hat after submitting their report?

It will take from 2 to 6 weeks for our Security Engineers to review your report.

(13) How long is a certified scanner valid for?

One year at most. However, consider that the yearly validity does not start from the date a scanner achieves the certification, but from the moment that Red Hat publishes the new, updated test-harness images which the certification requires the complete scanning and reporting.

For example, if a Partner scanner receives the certification in July, and the test-harness images are published in September, the validity of the scanner will only be for about 2 months.

Red Hat is committed to publishing new harness-images at least once a year. However, if Red Hat has some security concerns, it might publish new images in a shorter period. In that case, the scanner validity will be less than a year, and Partners will be required to recertify it.

(14) Does the publication of the test-harness images have a cadence?

Yes, we publish the test harness images around August 31, each year. However, Red Hat is committed to offering the highest level of security through our certification, so, if any security concerns or urgency it’s presented, we might publish new images earlier. If that happens, that new date will be the new reference for the year's validity.

Last updated