Path: csiph.com!2.eu.feeder.erje.net!feeder.erje.net!feeds.news.ox.ac.uk!news.ox.ac.uk!nntp-feed.chiark.greenend.org.uk!ewrotcd!usenet-its.stanford.edu!usenet.stanford.edu!not-for-mail
From: Michael McNally <mcnally@isc.org>
Newsgroups: comp.protocols.dns.bind
Subject: Experimenting with a new practice for pre-announcing vulnerability disclosures
Date: Thu, 14 May 2020 00:35:43 -0800
Lines: 28
Approved: bind-users@lists.isc.org
Message-ID: <mailman.402.1589445328.942.bind-users@lists.isc.org>
References: <6978e6dd-6187-2c1f-d51a-5c617612e03c@isc.org>
NNTP-Posting-Host: lists.isc.org
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Trace: usenet.stanford.edu 1589445345 23816 149.20.1.60 (14 May 2020 08:35:45 GMT)
X-Complaints-To: action@cs.stanford.edu
To: bind-users@lists.isc.org
Return-Path: <mcnally@isc.org>
X-Original-To: bind-users@lists.isc.org
Delivered-To: bind-users@lists.isc.org
Autocrypt: addr=mcnally@isc.org; keydata= mQENBE4I0bcBCACzmGY5YZuAL8eArSrHAIn2Y6Io7ZddCw5AKYLzCA+Ydcy4DEmBuQGVB8HY ZW8WQxkh9AYiCevuLtT9TOswtIrWquuTNkgG/ZfnD15feH4XDAK+l6FwqHP0MNBQHgxIFYNz Kheg3Y+X89e8DdEzkTGWKy9wEGH2/9p620ZD+7fT4Nh5m7MKEvP3glJdLMm/pU6X3LucJqnC ZdCkTnzZwhgPnUg8zw8ZhFruWcyCPA/+OJWZtAVJNKWyWIOselm3bG/mqSV9Py2ku3JlelBQ 9tGbzeW+li8gidp7lZdNvR3L/HvEwkxMw1/FdouXfvBNqKo84HlSQ5dR4NvGXPlMuMqTABEB AAG0IU1pY2hhZWwgTWNOYWxseSA8bWNuYWxseUBpc2Mub3JnPokBOAQTAQIAIgUCTgjRtwIb LwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQlumWUDlMmawMMAf/YWPFtyqpgUtrPlkT tA/j9DxI/0iD9zU5Xw7JwsO4A9Y3N1Es4+MGLkJdEcO/zq9fELmp+WFtR3GJ0xmg3Wd2vMRl Qz8nJnZpue0kK7CuSk3HaIuiTBqpp2SO/02fwQNfaIZb6TNzjGSYPdFx7Ws+Wo6acV6cvrtG jLBbcW/kRwwUB+Jx+E/swPNljBMGv3CSnLMxdqfOhrSAuZZZtylZcT33cTI+pCy3a4HPweXL C8p2vxI9lpU7ceDt6xJsv4dOC27jl5ZbC9CrhfkNl6UA7mZLtODy6t53VteOoUYPugUrOLr7 MmCnOCQ87Djr0xLCON956d1lin2XwhAfQLmhtbkBDQROCNG3AQgAx2Yb/WoYxmtBoTp77U1L QbcGIJFIVDG59wWgR4pFhVQO/4bhR64VV05w6m4OpmkFBGxcjAy3mKy7b2J4OEyrwGImzX+C 9iXpuXBckW03Afp+F7N7gYjPzEENMeS/6bGU4OofUl2KbJZ0y5g0EDPN+ScTDisLqn1UWE3e dKW5Ua3i6LBVS0FrbjZmv1rrn4lX2bsbVGnO376akxYmmujPxJauiP3pVc6UZ4zKH/pt/kUs mh+y3aSmRSQCVNVh3PXWIoGyCowUEQPeufbtm6YG1DkI9foHlEsUEo+vS1XPSNovmahVU+4B ZmlLdk3PDLuvkJa2dvRCpdicdEKbOUYDsQARAQABiQI+BBgBAgAJBQJOCNG3AhsuASkJEJbp llA5TJmswF0gBBkBAgAGBQJOCNG3AAoJEDsbHdIEoEIy3WoH/RyMNtHL5jrCHMXY85YtaPH4 DtA9bzuIRStPaoxxPtn7ar85pI/qvQ6gsPHfG3XifFoB1nhFC4b575+KMvFe+0HTdv8GoVNd y6y/tM8xV2zDas6f47uwq62EQE+VuOMx/0FqKHf1QiVv7qeIUxrouftho//iYSAYoiom44NB 8eNzzN3FUDYeEDZ/5it31TUFCAiYZV8qlB16fLetZ/w2Q5WM1GT8L5NRHHO89RTExNmn+7su S2aUJa/VcXbzZclyuvMv3jI/oYT1FL4ahYvV0P+QJn3vV5HjgptLoV0G5Q+JdtfsrmkI8Azz u3z1TeZ2Ud7bS5tDmEE5dwt/urRIYCKaeQgAoE0jUs6y5yXbITifkMAIApw/Su7Ez+vfS/al +58SmuR36zgpxBYRd0v3jXBqtofH/hwPkognm5suSUCjnBRxGS4mAx739eB1M+vQKWXvnKo/ 3LU51Sybvz8VTMDuF50Vg7XhSQ0CBR652zn7A60owGgYQ0vy42veK4zyimg1WT034HNloxvq 886NBz0PpBbiaMMZquoOKbEt6w3iilFEbwDo6BeBit6zrox04tuKKHnCVnH0xJ2LPN34H+z0 2RZJUh91/QiwAeuc3Z+Dvk/FYgSzcCTZuMP7irBtH+mNEfsnDW48jCIfqzIlnh6lTPLqMdAW ORJz9bl+BiRdRg2YZg==
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.8.0
Content-Language: en-US
X-BeenThere: bind-users@lists.isc.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BIND Users Mailing List <bind-users.lists.isc.org>
List-Unsubscribe: <https://lists.isc.org/mailman/options/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=unsubscribe>
List-Archive: <https://lists.isc.org/pipermail/bind-users/>
List-Post: <mailto:bind-users@lists.isc.org>
List-Help: <mailto:bind-users-request@lists.isc.org?subject=help>
List-Subscribe: <https://lists.isc.org/mailman/listinfo/bind-users>, <mailto:bind-users-request@lists.isc.org?subject=subscribe>
X-Mailman-Original-Message-ID: <6978e6dd-6187-2c1f-d51a-5c617612e03c@isc.org>
Xref: csiph.com comp.protocols.dns.bind:15751

Hey BIND-users,

I hope that most of you are already subscribed to the bind-announce list.
But for those who are not, bind-announce is another public list operated
by Internet Systems Consortium.  It is a low-traffic list which ISC staff
use to make announcements concerning the BIND project -- most frequently
about the release of new versions of BIND or occasionally when we disclos=
e a
serious security vulnerability.  You can subscribe by going to: https://l=
ists.isc.org

The reason I bring it up is that ISC is experimenting with a new practice
to extend our Security Vulnerability Disclosure Process.  After observing
this practice being used successfully by other open-source projects, we
have modified our disclosure policy to allow us to (optionally) make a
limited pre-announcement giving a "heads up" a few days before a public
disclosure occurs.

Such pre-announcements, should they occur, will be posted to the bind-ann=
ounce
list and you can see the first example of one in the list archives even i=
f
you are not a subscriber:

  https://lists.isc.org/pipermail/bind-announce/2020-May/001153.html

Michael McNally
ISC Support