Red Hat Introduces Project Hummingbird focused on Cloud-Native Dev & "Zero-CVE"

RALEIGH, N.C. - November 19, 2025 —

Red Hat, the world's leading provider of open source solutions, today announced Project Hummingbird, an early access program for Red Hat subscription customers that provides a catalog of minimal, hardened container images. Project Hummingbird is designed to help IT organizations address the constantly growing demand for better software with minimal attack surfaces, delivered more swiftly without compromising production security.

IT leaders frequently face a critical trade-off between application velocity and systems security. Time-to-market defines the modern application landscape, especially as AI-assisted and -generated coding tools accelerate development cycles, but this speed can run counter to the realities of managing multi-faceted, complicated software components. This seemingly leaves CIOs with two choices: Moving at the speed of business while balancing potential production systems risks, or being overcautious to the point of losing to competitor’s innovations. 

Project Hummingbird addresses the dueling needs of speed and risk mitigation with a catalog of tested, micro-sized container images stripped of non-essential components, including:

• The latest languages and runtimes such as .Net, Go, Java, Node and more.
• Critical developer databases like mariadb and postgresql.
• Web servers and proxies with Nginx, caddy and others.
• Along with many other foundational components for modern application stacks

By offering these leaner, production-ready images, Project Hummingbird intends to reduce the time and effort spent on package integration and vulnerability management, freeing up resources to focus on faster, more effective innovation. 

Project Hummingbird strives to provide:

• “Zero-CVE” status, meaning that Project Hummingbird images are shipped free of known vulnerabilities with functionality testing already completed, confirming that the images are also genuinely useful and stable.
• A curated, production-ready catalog of the minimal, hardened containers most requested by Red Hat customers, giving developers only what they truly need to create differentiated applications, along with a smaller attack surface.
• Complete software bill of materials (SBOMs), enabling users to verify the contents of an image to help meet modern compliance requirements.
• Full production support will be available to subscription customers when Project Hummingbird is released for general availability. This delivers the full extent of a Red Hat subscription, providing access to Red Hat's hardened, documented software supply chain and deep enterprise expertise.

Additionally, unsupported Project Hummingbird images will be freely available and redistributable at general availability, alongside following a similar model to other Red Hat offerings including Red Hat Universal Base Image (UBI). Project Hummingbird is built using the open source development process, originating from Fedora Linux components. Fedora Linux serves as the upstream source for Red Hat Enterprise Linux development.

For more than 30 years, Red Hat has delivered hardened, production-ready open source technologies to global organizations across industries. “Zero-CVE” status is meaningless if the components do not work in complex environments, are difficult to integrate, or simply are not what developers need. Red Hat understands the nuances of running open source code on critical systems, and that deep enterprise expertise is the backbone of Project Hummingbird.

Supporting Quote
Gunnar Hellekson, vice president and general manager, Red Hat Enterprise Linux, Red Hat
"The speed of business today depends on the speed of software. As supply chain attacks grow in prominence, organizations are often forced to choose between moving fast and maintaining security posture. Project Hummingbird is designed to remove that trade-off by providing a minimal, trusted, and transparent zero-CVE foundation for building cloud-native applications. This limits vulnerabilities so development and IT security teams have a clear, direct path to business value with speed, agility, security, and peace of mind."