bind/SECURITY.md

<!--
Copyright (C) Internet Systems Consortium, Inc. ("ISC")

SPDX-License-Identifier: MPL-2.0

This Source Code Form is subject to the terms of the Mozilla Public
License, v. 2.0.  If a copy of the MPL was not distributed with this
file, you can obtain one at https://mozilla.org/MPL/2.0/.

See the COPYRIGHT file distributed with this work for additional
information regarding copyright ownership.
-->
# Security Policy

ISC's Security Vulnerability Disclosure Policy is documented in the
relevant [ISC Knowledgebase article][1].

## Reporting possible security issues

If you think you may be seeing a potential security vulnerability in BIND (for
example, a crash with a REQUIRE, INSIST, or ASSERT failure), please report it
immediately by [opening a confidential GitLab issue][2]. If a GitLab issue is
not an option, please use the template from the file
.gitlab/issue_templates/Security_issue.mde-mail and send it to
bind-security@isc.org.

Please do not discuss undisclosed security vulnerabilities on any public
mailing list. ISC has a long history of handling reported
vulnerabilities promptly and effectively and we respect and acknowledge
responsible reporters.

If you have a crash, you may want to consult the Knowledgebase article
entitled ["What to do if your BIND or DHCP server has crashed"][3].

## Reporting bugs

We are working with the interests of the greater Internet at heart, and
we hope you are too. In that vein, we do not offer bug bounties. If you
think you have found a bug in any ISC software, we encourage you to
[report it responsibly][2]; if verified, we will be happy to credit you
in our Release Notes.

[1]: https://kb.isc.org/docs/aa-00861
[2]: https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true&issuable_template=Security_issue
[3]: https://kb.isc.org/docs/aa-00340
Move security-related information to SECURITY.md To follow current best practices, create a short SECURITY.md file in the root of the repository that contains information about the project's security policy and guidelines for reporting potential security issues. Replace the relevant bits of text in other files with references to the new SECURITY.md file, so that the relevant information only needs to be maintained in one place. Replace all occurrences of the generic security-officer@isc.org email with a dedicated address for reporting BIND 9 security issues, bind-security@isc.org. 2023-09-04 11:54:57 +02:00			`<!--`
			`Copyright (C) Internet Systems Consortium, Inc. ("ISC")`

			`SPDX-License-Identifier: MPL-2.0`

			`This Source Code Form is subject to the terms of the Mozilla Public`
			`License, v. 2.0. If a copy of the MPL was not distributed with this`
			`file, you can obtain one at https://mozilla.org/MPL/2.0/.`

			`See the COPYRIGHT file distributed with this work for additional`
			`information regarding copyright ownership.`
			`-->`
			`# Security Policy`

			`ISC's Security Vulnerability Disclosure Policy is documented in the`
			`relevant [ISC Knowledgebase article][1].`

			`## Reporting possible security issues`

Update security issue reporting procedure We have a new template for people to use. It saves lots of back and forth if people use it. 2025-05-28 12:53:48 +02:00			`If you think you may be seeing a potential security vulnerability in BIND (for`
			`example, a crash with a REQUIRE, INSIST, or ASSERT failure), please report it`
			`immediately by [opening a confidential GitLab issue][2]. If a GitLab issue is`
			`not an option, please use the template from the file`
			`.gitlab/issue_templates/Security_issue.mde-mail and send it to`
			`bind-security@isc.org.`
Move security-related information to SECURITY.md To follow current best practices, create a short SECURITY.md file in the root of the repository that contains information about the project's security policy and guidelines for reporting potential security issues. Replace the relevant bits of text in other files with references to the new SECURITY.md file, so that the relevant information only needs to be maintained in one place. Replace all occurrences of the generic security-officer@isc.org email with a dedicated address for reporting BIND 9 security issues, bind-security@isc.org. 2023-09-04 11:54:57 +02:00
			`Please do not discuss undisclosed security vulnerabilities on any public`
			`mailing list. ISC has a long history of handling reported`
			`vulnerabilities promptly and effectively and we respect and acknowledge`
			`responsible reporters.`

			`If you have a crash, you may want to consult the Knowledgebase article`
			`entitled ["What to do if your BIND or DHCP server has crashed"][3].`

Add text about no bug bounties 2025-03-13 17:56:01 +00:00			`## Reporting bugs`

			`We are working with the interests of the greater Internet at heart, and`
			`we hope you are too. In that vein, we do not offer bug bounties. If you`
			`think you have found a bug in any ISC software, we encourage you to`
			`[report it responsibly][2]; if verified, we will be happy to credit you`
			`in our Release Notes.`

Move security-related information to SECURITY.md To follow current best practices, create a short SECURITY.md file in the root of the repository that contains information about the project's security policy and guidelines for reporting potential security issues. Replace the relevant bits of text in other files with references to the new SECURITY.md file, so that the relevant information only needs to be maintained in one place. Replace all occurrences of the generic security-officer@isc.org email with a dedicated address for reporting BIND 9 security issues, bind-security@isc.org. 2023-09-04 11:54:57 +02:00			`[1]: https://kb.isc.org/docs/aa-00861`
Update URL for bug reports 2025-03-14 15:27:14 +00:00			`[2]: https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true&issuable_template=Security_issue`
Move security-related information to SECURITY.md To follow current best practices, create a short SECURITY.md file in the root of the repository that contains information about the project's security policy and guidelines for reporting potential security issues. Replace the relevant bits of text in other files with references to the new SECURITY.md file, so that the relevant information only needs to be maintained in one place. Replace all occurrences of the generic security-officer@isc.org email with a dedicated address for reporting BIND 9 security issues, bind-security@isc.org. 2023-09-04 11:54:57 +02:00			`[3]: https://kb.isc.org/docs/aa-00340`