Red Hat

To report an issue in any Red Hat product or service please contact [email protected]. Red Hat Information Security, in its sole discretion, will make the final decision about granting, refusing, and publishing credits, as well as their form and content, and applying the rules listed below. We will refuse credits where researchers breach the rules below or do not otherwise behave responsibly and ethically:

• Reports we do not class as security issues are not eligible for an acknowledgement on this page; these include but are not limited to:

  • Directory Listings and FTP sites. Our products are based on open source components and we make certain content available using directory listings and via anonymous FTP. Please only report these if you find (what can reasonably be assessed as) non-public content being exposed
  • Version Numbers. We do not hide the version numbers of online service components and you should expect these will not be the latest upstream versions.
  • Secure Certificate Issues (mismatched host names, expired certificates, support for older protocols such as SSLv3)
  • Reports from automated tools or scanners without manual verification and analysis
  • Theoretical attacks without proof of exploitability
  • Brute force attacks (e.g. on passwords or tokens)
  • Attacks involving any user accounts not created by you
  • Attacks involving physical access to a user's device, or involving a device or network that is already compromised
  • Missing security headers that do not lead directly to a vulnerability
  • Clickjacking
  • Cookies missing secure or HttpOnly flags
  • Bugs that rely on an unlikely user interaction
  • Issues that are the result of a user deliberately performing an insecure action (like sharing their password or API tokens publicly)
  • Social engineering of Red Hat staff or users
  • Issues related to password and account recovery processes

• Some Red Hat branded services are operated by third parties. If you notify us about security issues on such sites we will coordinate fixes with the affected vendors and acknowledgements maybe given by those vendors or under their rules.

• Some security issues may be due to underlying vulnerabilities in third-party applications that we use. In these cases we will coordinate fixes with the application vendor and acknowledgements maybe given by those vendors or on our CVE dictionary pages.

• We expect you to make a good faith effort to avoid privacy violations, destruction of data, or degradation to our service during your research. Please avoid using tools that are likely to automatically generate significant volumes of traffic or otherwise cause operational problems for our sites.