Reporting Security Vulnerabilities

Securing ISC's open source software

If you suspect you have found a security defect in BIND 9, ISC DHCP, or Kea DHCP, or if you wish to inquire about a security issue that you have learned about which has not yet been publicly announced, please contact our Security Officer via our [Bug Report Form]().

You may also email us at However, plain-text e-mail is not a secure choice for communications concerning undisclosed security issues, so we ask that you please encrypt your communications to us using the [ISC Security Officer public key]().

Learn more about ISC’s Software Defect and Security Vulnerability Disclosure Policy.

Reporting a Bug That Is NOT a Security Vulnerability

Ensuring You Are Not Running Software With a Known Vulnerability

For a listing of security vulnerabilities in BIND 9, please see the BIND 9 Security Vulnerability Matrix in ISC’s Knowledgebase.

To be notified of any new discovered vulnerabilities, you should either become a BIND 9 Basic support subscriber, which entitles you to advance notification of security vulnerabilities via a secure one-way support queue, or you can follow ISC security notices by subscribing to the BIND-announce mailing list.

ISC uses the CVSS calculator, a program of and NIST, to determine the severity of potential security issues.