If you suspect you have found a security defect in BIND 9, ISC DHCP, or Kea DHCP, or if you wish to inquire about a security issue that you have learned about which has not yet been publicly announced, please contact our Security Officer via our [Bug Report Form]().
You may also email us at email@example.com. However, plain-text e-mail is not a secure choice for communications concerning undisclosed security issues, so we ask that you please encrypt your communications to us using the [ISC Security Officer public key]().
Learn more about ISC’s Software Defect and Security Vulnerability Disclosure Policy.
Reporting a Bug That Is NOT a Security Vulnerability
- Please report bugs in BIND 9 by opening an issue in our BIND GitLab.
- Please report bugs in Kea at our Kea GitLab.
- You may report DHCP bugs by sending an email to firstname.lastname@example.org. (Feature requests should be sent to email@example.com.)
Ensuring You Are Not Running Software With a Known Vulnerability
For a listing of security vulnerabilities in BIND 9, please see the BIND 9 Security Vulnerability Matrix in ISC’s Knowledgebase.
To be notified of any new discovered vulnerabilities, you should either become a BIND 9 Basic support subscriber, which entitles you to advance notification of security vulnerabilities via a secure one-way support queue, or you can follow ISC security notices by subscribing to the BIND-announce mailing list.
ISC uses the CVSS calculator, a program of first.org and NIST, to determine the severity of potential security issues.