Security Data

Red Hat Product Security is committed to providing tools and security data to help security measurement. A part of this commitment is our active participation in various projects such as the CVE Project, the OASIS CSAF technical committee, or SBOM/VEX forums. We provide the raw data below so customers and researchers can produce their own metrics, for their own unique situations, and hold us accountable. To receive notifications when we fix bugs and add new features, please follow the official Red Hat Security Data Changelog.

The data resources linked on this page as well as their alternative representations available through the Security Data API are licensed under the Creative Commons Attribution 4.0 International License. If you distribute this content or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original.

Note: Security data (CSAF, OVAL, SBOM, and other files) published by Red Hat Product Security was previously served from two locations:

  • https://access.redhat.com/security/data/*
  • https://www.redhat.com/security/data/*

A new domain was recently created the scope of which (for the time being) is to serve this same data:

  • https://security.access.redhat.com/data/*

Effective Sep 3, 2024, a redirect was put in place for all traffic from www.redhat.com/security/data/* to be redirected to the new security.access.redhat.com/data/* domain. On Sep 30, a similar change was made for access.redhat.com/security/data/* to redirect to security.access.redhat.com/data/. No change to the actual files or directory layout under the data/* path was made. You can start consuming from the new domain today. For example: https://access.redhat.com/security/data/csaf/v2/vex/2024/cve-2024-0151.json is now available at https://security.access.redhat.com/data/csaf/v2/vex/2024/cve-2024-0151.json; on Sep 30, the former began redirecting to the latter.

CSAF/VEX Documents

The Common Security Advisory Framework (CSAF) standard enables organizations to share information about security issues using a consistent and common format. We provide Red Hat security advisories in CSAF format using the VEX profile as well as per-CVE VEX documents that contains information on both fixed and unfixed products/components.

OSV Records

Red Hat / OSV.dev announcement on OpenSSF. The CSAF advisory data for RPMs is convertered to OSV records and shared with OSV.dev. It is expected that customers will consume this data from OSV.dev not directly from this URL. This is the location OSV.dev consumes the data from.

SBOM Documents

Software Bill of Materials (SBOM) is a complete list of components, their versions, licensing information, provenance, and other metadata for a given product. Red Hat publishes SBOM documents for select products at:

OVAL Definitions

Note: OVAL/DS v1 files are no longer available and have been archived; see OVAL v1 deprecation announcement for more information.

OVAL definitions are available for vulnerabilities that were addressed in errata for Red Hat Enterprise Linux and select additional products. To completely evaluate your system you will need to evaluate it against the streams for all products installed on that system.

Vulnerability Metadata

Repository to CPE Mapping

Used for matching OVAL security data to installed RPMs. Each repository also includes a set of relative URLs from where the content of the repository can be downloaded.

RHSA RSS feed

An RSS feed that contains a list of Red Hat security advisories released in the last three days.

CPE Dictionary

CPE is a structured naming scheme for information technology systems, software, and packages. For reference, we provide a dictionary mapping the CPE names we use, to Red Hat product descriptions. Some of these CPE names will be for new products that are not in the official CPE dictionary, and should therefore be treated as temporary CPE names:

Security Data Archive

Security data files that have been retired are available in an archive. Each file is marked with a date (YYYYMMDD) when it was last updated: