Experimenting with a new practice for pre-announcing vulnerability disclosures

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Experimenting with a new practice for pre-announcing vulnerability disclosures

Michael McNally
Hey BIND-users,

I hope that most of you are already subscribed to the bind-announce list.
But for those who are not, bind-announce is another public list operated
by Internet Systems Consortium.  It is a low-traffic list which ISC staff
use to make announcements concerning the BIND project -- most frequently
about the release of new versions of BIND or occasionally when we disclose a
serious security vulnerability.  You can subscribe by going to: https://lists.isc.org

The reason I bring it up is that ISC is experimenting with a new practice
to extend our Security Vulnerability Disclosure Process.  After observing
this practice being used successfully by other open-source projects, we
have modified our disclosure policy to allow us to (optionally) make a
limited pre-announcement giving a "heads up" a few days before a public
disclosure occurs.

Such pre-announcements, should they occur, will be posted to the bind-announce
list and you can see the first example of one in the list archives even if
you are not a subscriber:


Michael McNally
ISC Support
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]