If you suspect you have found a security defect in BIND 9, Kea DHCP, Stork, or ISC DHCP, or if you wish to inquire about a security issue that you have learned about which has not yet been publicly announced, ISC encourages you to take one or more of the following actions, as appropriate:
- Open a confidential GitLab issue (preferred) or send email to firstname.lastname@example.org - for BIND 9-related security issues
- Send email to email@example.com - for Kea DHCP-related security issues
- Send email to firstname.lastname@example.org - for Stork-related security issues
Emails to any of the above addresses automatically create secure, confidential issues in ISC’s GitLab instance.
- email@example.com - for any other security issues*
* If possible, we ask that you please encrypt your communications to the firstname.lastname@example.org address using the ISC Security Officer public key found on our PGP Key page. Our OpenPGP keys are also available from our FTP site.
More information is available about How to Submit a Bug Report.
Learn more about ISC’s Software Defect and Security Vulnerability Disclosure Policy.
If you believe you have found a security vulnerability that applies to DNS implementations generally, and you want to report this responsibly to a number of implementers, you might consider also using the Open Source DNS Vulnerability mailing list, managed by DNS-OARC.
Reporting a Bug That Is NOT a Security Vulnerability
- Please report bugs in BIND 9 by opening an issue in our BIND GitLab.
- Please report bugs in Kea at our Kea GitLab.
- Please report bugs in Stork in our Stork GitLab.
- Please report ISC DHCP bugs at our ISC DHCP GitLab.
Ensuring You Are Not Running Software With a Known Vulnerability
To ensure that you are notified of any new discovered vulnerabilities, you should become an ISC support subscriber, which entitles you to advance notification of security vulnerabilities via a secure, private support queue.
ISC uses the CVSS calculator, a program of first.org and NIST, to determine the severity of potential security issues. We invite users to read more about our CVSS Scoring Guidelines in our Knowledgebase.