From ca9fed91431eab6b72e8d1ffae0ed8294677dc7d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= <michal@isc.org>
Date: Mon, 4 Sep 2023 11:54:57 +0200
Subject: [PATCH] Move security-related information to SECURITY.md

To follow current best practices, create a short SECURITY.md file in the
root of the repository that contains information about the project's
security policy and guidelines for reporting potential security issues.
Replace the relevant bits of text in other files with references to the
new SECURITY.md file, so that the relevant information only needs to be
maintained in one place.

Replace all occurrences of the generic security-officer@isc.org email
with a dedicated address for reporting BIND 9 security issues,
bind-security@isc.org.
---
 CONTRIBUTING.md | 17 +----------------
 README.md       | 14 +++-----------
 SECURITY.md     | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 39 insertions(+), 27 deletions(-)
 create mode 100644 SECURITY.md

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 4b3db89381..c108dbeec6 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -102,22 +102,7 @@ Twitter, or Facebook.
 
 ### Reporting possible security issues
 
-If you think you may be seeing a potential security vulnerability in BIND
-(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
-report it immediately by emailing to security-officer@isc.org. Plain-text
-e-mail is not a secure choice for communications concerning undisclosed
-security issues so please encrypt your communications to us if possible,
-using the [ISC Security Officer public key](https://www.isc.org/pgpkey/).
-
-Do not discuss undisclosed security vulnerabilities on any public mailing list.
-ISC has a long history of handling reported vulnerabilities promptly and
-effectively and we respect and acknowledge responsible reporters.
-
-ISC's Security Vulnerability Disclosure Policy is documented at
-[https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
-
-If you have a crash, you may want to consult
-["What to do if your BIND or DHCP server has crashed."](https://kb.isc.org/docs/aa-00340)
+See `SECURITY.md`.
 
 ### <a name="contrib"></a>Contributing code
 
diff --git a/README.md b/README.md
index 07cf1decf1..6e39de51e7 100644
--- a/README.md
+++ b/README.md
@@ -74,17 +74,9 @@ contents of your configuration file in a non-confidential issue, it is
 advisable to obscure key secrets; this can be done automatically by
 using `named-checkconf -px`.
 
-If you are reporting a bug that is a potential security issue, such as an
-assertion failure or other crash in `named`, please do *NOT* use GitLab to
-report it. Instead, send mail to
-[security-officer@isc.org](mailto:security-officer@isc.org) using our
-OpenPGP key to secure your message. (Information about OpenPGP and links
-to our key can be found at
-[https://www.isc.org/pgpkey](https://www.isc.org/pgpkey).) Please do not
-discuss the bug on any public mailing list.
-
-For a general overview of ISC security policies, read the Knowledgebase
-article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
+For information about ISC's Security Vulnerability Disclosure Policy and
+information about reporting potential security issues, please see
+`SECURITY.md`.
 
 Professional support and training for BIND are available from
 ISC. Contact us at [https://www.isc.org/contact](https://www.isc.org/contact)
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..2c63605988
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,35 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+# Security Policy
+
+ISC's Security Vulnerability Disclosure Policy is documented in the
+relevant [ISC Knowledgebase article][1].
+
+## Reporting possible security issues
+
+If you think you may be seeing a potential security vulnerability in
+BIND (for example, a crash with a REQUIRE, INSIST, or ASSERT failure),
+please report it immediately by [opening a confidential GitLab issue][2]
+(preferred) or emailing bind-security@isc.org.
+
+Please do not discuss undisclosed security vulnerabilities on any public
+mailing list. ISC has a long history of handling reported
+vulnerabilities promptly and effectively and we respect and acknowledge
+responsible reporters.
+
+If you have a crash, you may want to consult the Knowledgebase article
+entitled ["What to do if your BIND or DHCP server has crashed"][3].
+
+[1]: https://kb.isc.org/docs/aa-00861
+[2]: https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true&issuable_template=Bug
+[3]: https://kb.isc.org/docs/aa-00340