Experimenting with a new practice for pre-announcing vulnerability disclosures
Michael McNally
mcnally at isc.org
Thu May 14 08:35:43 UTC 2020
Hey BIND-users,
I hope that most of you are already subscribed to the bind-announce list.
But for those who are not, bind-announce is another public list operated
by Internet Systems Consortium. It is a low-traffic list which ISC staff
use to make announcements concerning the BIND project -- most frequently
about the release of new versions of BIND or occasionally when we disclose a
serious security vulnerability. You can subscribe by going to: https://lists.isc.org
The reason I bring it up is that ISC is experimenting with a new practice
to extend our Security Vulnerability Disclosure Process. After observing
this practice being used successfully by other open-source projects, we
have modified our disclosure policy to allow us to (optionally) make a
limited pre-announcement giving a "heads up" a few days before a public
disclosure occurs.
Such pre-announcements, should they occur, will be posted to the bind-announce
list and you can see the first example of one in the list archives even if
you are not a subscriber:
https://lists.isc.org/pipermail/bind-announce/2020-May/001153.html
Michael McNally
ISC Support
More information about the bind-users
mailing list