ISC Security Vulnerability Disclosure Policy

At ISC, we follow two types of process in determining types of security emergency. First we look at whether the issue is in the public view already, and whether or not it is causing operational distress. Issues are classed as either Type I (not in the wild) or Type II (in the wild). Next, we assess the issue using the Common Vulnerability Scoring System, which helps us determine the severity and urgency of the problem. Once we have determined these, our development teams spring into action and develop fixes for the problem. When possible, we then have the issue tested by the original submitter (in addition to our own internal tests). When the tests are passed, we are ready to begin our phased disclosure process. This process is designed to allow maximum preparation time to our valued customers, as well as providing a public benefit to the security of the internet infrastructure by giving the security community and our vendors warning that a security disclosure is imminent.

In the event of a Type I Security Disclosure (not in the wild or causing known problems):

  • Phase One: ISC Software Forum Members of Sponsor level and above and all ISC support customers receive formal notice and pre-release code snapshot as far in advance as possible. This is usually between two and five business days in advance of the release of the public disclosure and code.
  • Phase Two: CSIRTs and other global security tracking organizations receive written notice of the disclosure 24 hours before planned release of the public disclosure and code.
  • Phase Three: Vendors who package our code into their operating systems, appliances, and products, receive written notice of the disclosure 24 hours before planned release of the public disclosure and code.Vendors who are Software Forum Members receive notification in Phase One.
  • Phase Four: Public disclosure of the vulnerability, and release of patched versions of all currenly supported affected code.

In the event of a Type II Security Disclosure (in the wild, or causing known problems)

  • Phase One: ISC Software Forum Members and support customers will get as much information as we have as quickly as we can safely release it. It is not generally possible to send patched code in advance, but when possible, this will be done. Notification is sometimes prior to public announcement, but not always. Whenever possible, ISC releases code to resolve a Type II disclosure within 24 hours of notification of the problem.
  • Phase Two: CSIRTs and Vendors will get notification as soon as possible, but not always prior to public announcment.

During a Type II Security Disclosure, ISC will endeavor to contact all critically affected customers and vendors as promptly as possible.

For further information on becoming an ISC Software Forum Member or an ISC support customer please contact us at info@isc.org

For further information on ISC's Phased Disclosure Process or Security Vulnerability response processes, please contact Larissa Shapiro (larissas@isc.org), ISC Product Manager.

For more information on Operational Notifications (non-security related) see this page.

Share this