Security Data
Red Hat Product Security are committed to providing tools and security data to help security measurement. Part of this commitment is our participation at board level in various projects such as MITRE CVE and OVAL. We also provide reports and metrics, but more importantly, we also provide the raw data below so customers and researchers can produce their own metrics, for their own unique situations, and hold us accountable.
CVRF Documents
The Common Vulnerability Reporting Framework (CVRF) standard enables organisations to share information about security issues with a consistent and common format. We provide Red Hat security advisories in CVRF format.
- CVRF compatibility FAQ
- Link to CVRF documents
- CVRF 1.1 samples (zip) (updated 2012-05-15)
OVAL Definitions
OVAL definitions are available for all vulnerabilities that affect Red Hat Enterprise Linux 3, 4, 5, 6, 7:
Vulnerability Statements and Acknowledgements
We publish acknowledgments and official statements for vulnerabilities currently under investigation and for vulnerabilities that do not affect our products and services. These statements appear on our in CVE pages
- cve-metadata-from-bugzilla.xml (XML feed, updated twice a day)
Vulnerability Metrics Data
CVE to date, CVE to severity, CVE to CVSS mapping
This data source maps CVE names to the dates the issues were first known to the public. This helps generate statistics based on "days of risk". This data source also captures the severity of the issues and how we found out about them (dates and sources). Although the dates may come from third-parties, the severity classifications are given by Red Hat Product Security and are specific to Red Hat, and will vary for other distributions and vendors. This file is updated here every one or two weeks (or by request, by contacting [email protected]):
- cve_dates.txt (updated 2015-11-18)
RHSA to date mapping
This data source is a mapping of Red Hat Security Advisories to the dates and times the advisories were issued. Most of this data comes automatically from the Red Hat Network, but some entries requiring manual adjustment have been annotated:
- release_dates.txt (updated twice a day)
RHSA to CVE and CPE mapping
This data source is a mapping of Red Hat Security Advisories to the vulnerabilities fixed (identified by CVE name). This file contains the product names affected in CPE format, and the package names, allowing the file to be filtered by a product or package subset:
- rhsamapcpe.txt (updated twice a day)
CPE lists for default installations
Red Hat Enterprise Linux ships with a large number of packages, but they are not all installed by default. These files give lists of packages in default installations, which can be used to filter the metrics. The format is the CPE name with the package name appended:
CVE to CWE mapping
This data source is a mapping of CVE addressed by Red Hat Security Advisories to the associates vulnerability CWE chain:
- OVAL compatibility FAQ
- cvemapcwe.txt (updated twice a day)
CPE Dictionary
CPE is a structured naming scheme for information technology systems, software, and packages. For reference, we provide a dictionary mapping the CPE names we use, to Red Hat product descriptions. Some of these CPE names will be for new products that are not in the official CPE dictionary, and should therefore be treated as temporary CPE names:
- cpe-dictionary.xml (updated twice a day)
Data Analysis
We provide a Perl script which creates reports based on the cve_dates.txt, release_dates.txt, and rhsamapcpe.txt data sources above. For a given product, such as Red Hat Enterprise Linux, and a date range, the script can list all the security issues fixed by severity and gives a "days of risk" metric, displayed as "Average is x days", as well as vulnerability work flow statistics. For example, run the following command to create a summary report of all critical advisories for Red Hat Enterprise Linux 5:
perl daysofrisk.pl --cpe enterprise_linux:5 --severity C
- daysofrisk.pl (updated 2015-11-02)
Sample Reports
You can use the daysofrisk.pl script to run sample reports based on the above data sources. The following are pre-generated examples:
| Distribution | Dates | Severity | Metrics |
|---|---|---|---|
| Red Hat Enterprise Linux 7 (all packages) | 20140610-20151118 | all dates Critical flaws | 86 vulnerabilities Average is 0.3 days Median is 0 days 98% were within 1 day |
| Red Hat Enterprise Linux 6 (all packages) | 20101110-20151118 | all dates Critical flaws | 373 vulnerabilities Average is 0.7 days Median is 0 days 92% were within 1 day |
| Red Hat Enterprise Linux 5 (all packages) | 20070314-20151118 | all dates Critical flaws | 439 vulnerabilities Average is 0.4 days Median is 0 days 98% were within 1 day |
| Red Hat Enterprise Linux 5 Server (default installation packages) | 20070314-20151118 | all dates For all flaws regardless of severity | 1728 vulnerabilities Average is 89.8 days Median is 5 days 47% were within 1 day |
| Red Hat Enterprise Linux 4 AS (default installation packages) | 20050215-20120229 | all dates Critical flaws | 66 vulnerabilities Average is 0.5 days Median is 0 days 94% were within 1 day |