FAQs
Frequently Asked Questions
Last updated
Frequently Asked Questions
Last updated
Red Hat Partner Connect program is announcing Red Hat Vulnerability Scanner Certification - a collaboration with security partners to deliver more accurate and more reliable container vulnerability scanning results of Red Hat-published images and packages. Security partners can now consume and defer to Red Hat’s extensive and evolving set of published security data to save customers time and by minimizing false positives and other discrepancies.
Red Hat has been transparently publishing CVE data , but customers are still seeing false positives and other discrepancies when they obtain vulnerability scanning reports from their respective security management providers.
With this certification, Red Hat has taken a leadership role by 1) formally collaborating with our security partners, 2) simplifying the use of Red Hat published CVE data and standardizing on OVAL v2 and 3) simplifying a customers’ vulnerability management effort with fewer false positives.
Certified security partners will be able to deliver vulnerability scanning reports that incorporate Red Hat-published security data, recommended by Red Hat Product Security, in a standardized fashion. Security partners that are not certified will continue as they have been operating and will continue to make their own determination as to which Red Hat security data to incorporate.
No, this certification is only for security partners that have a vulnerability scanning solution.
By contacting us through the :
Click on the button Create Case
Choose Product certification in Category
Select the option Red Hat Vulnerability Scanner Certification
No. The current scope of this certification is for Red Hat packages that are in a container only (whether that container image is Red Hat-developed or non-Red Hat-developed).
Certified scanners will be able to display CVEs for which Red Hat already has a fix (RHSA) for as well as those CVEs which Red Hat has yet to provide a fix for.
Discrepancies still may occur, but we believe there will be significantly fewer with certified partners. We have also integrated support processes with certified partners, so when discrepancies happen with Red Hat managed packages in containers, you are welcome to contact Red Hat Support.
It will take from 2 to 6 weeks for our Security Engineers to review your report.
One year at most. However, consider that the yearly validity does not start from the date a scanner achieves the certification, but from the moment that Red Hat publishes the new, updated test-harness images which the certification requires the complete scanning and reporting.
For example, if a Partner scanner receives the certification in July, and the test-harness images are published in September, the validity of the scanner will only be for about 2 months.
Red Hat is committed to publishing new harness-images at least once a year. However, if Red Hat has some security concerns, it might publish new images in a shorter period. In that case, the scanner validity will be less than a year, and Partners will be required to recertify it.
Yes, we publish the test harness images around August 31, each year. However, Red Hat is committed to offering the highest level of security through our certification, so, if any security concerns or urgency it’s presented, we might publish new images earlier. If that happens, that new date will be the new reference for the year's validity.
Visit the Red Hat
Visit the .
Yes. See Dave Meurer’s “Shakespearean” .
Certified scanner solutions will display [Critical, Important, Moderate and Low] for each CVE as determined by Red Hat Product Security, and based on the specific Red Hat product-version that package belongs to.