ISC Security Vulnerability Policy Updated
At ISC we are updating our security vulnerability disclosure policy.
Read post
This text was updated on 2 August 2019. Please click here to read our full, up-to-date privacy policy.
Like many responsible organizations with an online presence, we have committed to meet our new obligations under GDPR (General Data Protection Regulations – it’s an EU thing). We are a small business with approximately 35 employees and no business activities located in Europe. We are committed to transparency because we care about public trust in ISC; we also don’t want to spend a lot of your money on lawyers. We have created a formal written privacy policy based heavily on the one ISOC recently published, and have done our own inventory of personal and technical data we have in our systems.
What follows is an inventory of the data we collect and use, with a link to the formal Statement of Privacy.
ISC’s Public Sites
ISC operates a number of Sites for public collaboration and information sharing, including but not limited to: public mailing lists, fora, ISC’s main website, project wiki pages, source code repositories, software issue trackers, our Knowledgebase, our ftp.isc.org and downloads.isc.org downloads site, social media sites, and others.
- We don’t use paywalls or require registration to read information on any of our Sites or to download documents or software. We do require registration to submit data to these systems in order to control spam and abuse. We may use your Personal Data submitted during registration to contact you. In some cases, your registration and other personal information provided by you will be visible to other users.
- Users of our public mailing lists, issue trackers, code repositories, Knowledgebase and other ISC Sites consent to publishing their personal data when they choose to participate actively in those public sites. ISC’s mailman service, Gitlab, source.isc.org, ftp.isc.org, downloads.isc.org, kea.isc.org, bugs.isc.org, www.isc.org, and ednscomp.isc.org are operated by ISC. ISC’s Github site, Nabble forum, and Document360 Knowledgebase are operated by those companies on our behalf.
- ISC maintains several databases for tracking software issue reports by users. These databases enable the public to report and view problem reports about ISC open source projects. These include but are not limited to:
All of these systems may store submitter username, email address, and other contact data, depending on what the user shared (e.g. in the signature field in the email), as well as technical data about their software deployment, network, and issue, and possibly configuration files, log files, and core dumps. We must have this information in order to communicate with the submitter to get more information about the issue and/or verify a solution.
We don’t want anyone to refrain from submitting issues because of privacy concerns, however, so if you want to submit an issue and don’t want your submission to be publicly visible, contact us to request that we hide your personal information. Depending on the site, this may mean that the entire issue is non-public, which defeats the purpose of having a public issue tracker, so please don’t do this without a compelling reason.
ISC’s Contact Database
- ISC maintains a contact database for sales and marketing purposes. This database includes contact names, with organization, title, email, phone and fax contact information, contracts, purchase orders and their details, and a log of emails exchanged between the contact and ISC.
- When you send ISC an inquiry, we log your inquiry including your contact information and the text of your inquiry in our contact database, where we also track our response to you. Your information will be in this database if you have ever contacted ISC asking for help, or a quote for services, either via phone, email, or by visiting our table at a conference.
- If you have made a purchase from or a donation to ISC, or visited our booth at a conference or industry event, your name and contact information may also be in this database. We use this information to acknowledge your donation and we may use it to solicit future donations.
- We have also in the past purchased some lists for marketing purposes, which may have also been imported into this database.
- We use this contact database to stay in touch with users, to sell and to provide the services that support our work. We do occasionally send bulk email to contacts in this marketing database, but that is infrequent, and always includes a clearly visible link to unsubscribe from future mailings. Users who have unsubscribed will be marked as “opted out” in the database and will not be sent further bulk emails.
- This database is maintained for us by SugarCRM. Per our agreement with SugarCRM they are permitted to hold and process this data for ISC’s own business use only, and they may not leverage it for any other purpose. ISC does not share or sell the information with any other organization. Access is limited to a small subset of ISC employees who need the information for their business purposes.
Webinars and Surveys
- To register to participate in certain ISC activities (e.g. webinars), you may be asked to register and provide personal information including employer, physical address, and/or email and phone contact information. This information is collected to facilitate followup in case you ask questions on the webinar that we can’t answer on the spot, and may be used in marketing our services to you or fulfilling special offers made to webinar participants. The information may be stored in the webinar conferencing application and/or our customer relationship management database (CRM), below.
- ISC occasionally conducts surveys for marketing and product management purposes. Survey tools generally use cookies and log IP addresses to prevent duplicate responses, or to facilitate completing a partially completed survey at a later time. Depending on the survey collection method, the survey data may permit identification of the email address of the respondent. The information provided in response to the survey is stored along with any respondent-identifying information collected by the survey tool.
- Webinar registrations and survey data are processed by third parties. We currently use Zoom for conferencing services and SurveyMonkey for survey operations.
- Access to webinar attendee and survey data is limited to ISC employees. We don’t share attendee or survey data, except in anonymized or summary form. The exception to this are webinars or surveys that are explicitly jointly sponsored with another organization; in that case we may share the data related to the webinar or survey with our co-sponsor for their own use only.
ISC’s Support Customers
Subscribers to ISC’s software support services have to provide contact information for multiple (usually four) points of contact. This information is required in order for us to provide the support service. This information generally includes: * First and last (family) name * Email address * Organization name (employer) * Phone number (optional)
We use the email address to communicate with support subscribers, to alert them of support ticket updates, to provide notice of new releases, to provide transactional information (such as validation of email address), to send terms and instructions for the support service, and to process forgotten passwords. Very infrequently, we may also use the technical support contact email addresses to survey support users about our support services or product usage, or to provide roadmap updates.
We don’t have any regular support process that uses customer telephone numbers, but some subscribers of our support services are allowed to contact us via phone and we might conceivably use the telephone number in an unusual process, e.g. for verifying identity when updating contact information or for password recovery.
Support technical contact information is stored in our support ticketing system, which is operated by ISC in the US. (Some technical support contacts may also be included in our main (SugarCRM) contact database.) This database also includes a log of customer support tickets opened and our responses to them, and may include core dumps, configuration files, and software logs.
We use this information to support customers, and to identify and troubleshoot issues in our software. Access is limited to current ISC employees. We retain this record even after an individual or organization terminates their support relationship with ISC, unless they specifically request we delete it, because it provides us with a valuable technical record.
Our standard support services agreement includes an NDA. We don’t publicly identify customers or their representatives unless the customer does so first. When we log issues in our publicly visible issue trackers on behalf of support customers, we either make the issue private, or anonymize the support customer’s identity.
Donors to ISC
- If you have made a donation to ISC, your name and contact information may also be in our contact database, discussed above. We use this information to acknowledge your donation and we may use it to solicit future donations.
- We normally acknowledge donations of $10 or more on our website. We are happy to refrain from this if you request anonymity.
Credit Card Information
In the event you choose to make a donation or purchase using your credit card, we will request credit card information, including number, expiration date, billing address, and card security code so your donation can be processed. This information passes directly to ISC’s payment processor, PayPal. ISC neither uses nor stores this information.
Technical Data
- We previously used Google tags on our Sites to support basic statistics about # of visitors, pages visited, time spent, browsers used and geographic location of our users. In October 2018, we discontinued that practice and have removed all Google Analytics services from ISC’s Sites.
- Our Sites formerly used third parties for web analytics services so that we could understand how visitors interacted with our sites. As of October 2018, we have removed all these services from our Sites as an additional layer of privacy protection for our Subscribers and Visitors. These services and/or vendors were:
- Google Analytics – our primary source for website analytics
- Google Tag Manager – the mechanism we used for sending information into Google Analytics
- Google Custom Search Engine (CSE) – the tool we used when people searched across our sites
- Evergreen Digital Media – a consultant who helped us to maintain our Google Ads (a free benefit provided to non-profits by Google that makes it easier for non-profits to promote their web site in search results). This organization had access to our Google Analytics data for the purpose of improving our Google Ad effectiveness.
- We have declined to opt into any of the extended tracking and analysis that Google offers which attempts to enrich this data with other data Google may have about other user behavior or demographics.
- Many of our online systems have logs, which log IP addresses of connections. We don’t do any processing to attempt to associate these addresses with usernames, email addresses, or organizations. We do analyze the logs in aggregated form to determine site usage and software download levels.
- One exception to this is F-Root: we do share some F-Root data with ICANN and DNS-OARC for research purposes only. Any such traffic logs we share after the GDPR implementation date of May 25, 2018 will be anonymized.
Third Parties Who May Store or Process Personal Data
We use services for interacting with users, optimizing our websites, and managing our search presence. Each of our contracts with these third parties restricts the use of personal information so it can only be used to provide the services under the contracts. In addition, these companies are required to treat all information and protect it by processes and procedures no less strict than those used by ISC.
Our current services and/or contractors are: * SugarCRM – hosts ISC’s contact database. Access is limited to a few ISC employees. * Document360 - hosts ISC’s Knowledgebase. Access to articles is open to the public, without registration or login. * Github – hosts ISC open source and has Personal Data submitted by users in issues and patch requests as well as technical data Github may collect. Access is public. * Nabble – provides us with a hosted forum service, an alternative public discussion venue for ISC software and services. Nabble has access only to data already published on ISC mailing lists. * Zoom – provides conferencing services and may have data on prior conference attendance. * SurveyMonkey – provides survey operations and has data on prior survey responses, which may include technical data such as IP address from cookies.
We can be contacted, about this or anything else, at info@isc.org.
Our main phone number (which generally goes to voicemail) is +1 650-423-1300. Our business address is 950 Charter Street, Redwood City, CA 94063.
