Compiler Keeping Track Of Vulnerabilities With CVEs
Mar 19, 2026
Jeremy West, Senior Manager of Product Security Engineering at Red Hat, who leads product security incident response. He walks through CVE tracking and why common identifiers matter. Listens to how vulnerabilities are named, how CVEs are governed versus stored, and how severity, CVSS, and remediation priorities are determined. Practical takes on prioritization, risk tolerance, and the economics of patching.
AI Snips
Chapters
Transcript
Episode notes
CVE Is A Governance Standard Not Just A Database
- CVE is a governance standard that gives everyone a common naming system for vulnerabilities.
- Jeremy West explains it enforces reporting rules and consistent data so vendors and researchers can all “talk the same language.”
Follow A Structured Report And Remediation Workflow
- When a researcher reports a vulnerability to Red Hat they assign an ID, map the weakness, assess CIA impact, and work with maintainers to fix it.
- Red Hat often assigns the CVE under embargo and publishes details when ready to coordinate remediation.
Publish Both CV Pages And Machine Readable VEX
- Red Hat publishes human-readable CV pages plus machine-readable VEX documents about vulnerabilities.
- VEX provides structured exploitability and mitigation data so customers and tooling can automate risk decisions.