If you suspect you have found a vulnerability in BIND 9, Kea DHCP, Stork, or ISC DHCP, or if you wish to inquire about a vulnerability that you have learned about which has not yet been publicly announced, ISC encourages you to take one or more of the following actions, as appropriate: Open a confidential GitLab issue at https://gitlab.isc.org/isc-projects/bind9/-/issues/new?description_template=Security_issue (strongly preferred) or send email to bind-security@isc.org - for BIND 9-related vulnerabilities Send email to kea-security@isc.org - for Kea DHCP-related vulnerabilities Send email to stork-security@isc.org - for Stork-related vulnerabilities Emails to any of the above addresses automatically create secure, confidential issues in ISC's GitLab instance. We strongly prefer that you open an issue in the respective ISC GitLab repo if at all possible because this makes it possible to keep you, the reporter, updated as we triage and remediate the issue. We use GitLab to organize all our development work and having some issues conducted via email is simply not workable. We are experiencing a historic increase in software vulnerability reports due to code analysis by LLMs and we appreciate your willingness to moderate the coordination overhead by using ISC's GitLab for your vulnerability reports. security-officer@isc.org - for any other security issues* * If this is an unusually sensitive security issue we ask that you please encrypt your communications to the security-officer@isc.org address using the ISC Security Officer public key found on our PGP Key page (https://www.isc.org/pgpkey/). Our OpenPGP keys are also available from our FTP site (https://downloads.isc.org/isc/pgpkeys/). PGP encryption is not usually necessary when reporting a suspected software vulnerability. More information is available about How to Submit a Bug Report (https://www.isc.org/reportbug/). Learn more about ISC's Software Defect and Vulnerability Disclosure Policy (https://kb.isc.org/docs/aa-00861). Reporting a Bug That Is NOT a Software Vulnerability If you are not sure whether your bug is in fact a software vulnerability, open it as a confidential issue, and we will remove the confidentiality flag when triaging. Please report bugs in BIND 9 by opening an issue in our BIND GitLab. (https://gitlab.isc.org/isc-projects/bind9/-/issues?sort=created_date&state=opened&first_page_size=100) Please report bugs in Kea at our Kea GitLab. (https://gitlab.isc.org/isc-projects/kea/-/issues?sort=created_date&state=opened&first_page_size=100) Please report bugs in Stork in our Stork GitLab. (https://gitlab.isc.org/isc-projects/stork/-/issues?sort=closed_at_desc&state=opened&first_page_size=100) Please report ISC DHCP bugs at our ISC DHCP GitLab. (https://gitlab.isc.org/isc-projects/dhcp/-/issues?sort=created_date&state=opened&first_page_size=100) Ensuring You Are Not Running Software With a Known Vulnerability For a listing of vulnerabilities in BIND 9, please see the BIND 9 Vulnerability Matrix in ISC's Knowledgebase (https://kb.isc.org/docs/aa-00913). Kea and ISC DHCP CVEs are also available in our Knowledgebase (https://kb.isc.org/docs). To ensure that you are notified of any new discovered vulnerabilities, you should become an ISC support subscriber, which entitles you to early notification of vulnerabilities via a secure, private support queue. You can also follow ISC vulnerability notices by subscribing to one of our community mailing lists. Please subscribe to the BIND-announce (https://lists.isc.org/mailman/listinfo/bind-announce), Kea-announce (https://lists.isc.org/mailman/listinfo/kea-announce), and/or DHCP-announce (https://lists.isc.org/mailman/listinfo/dhcp-announce) list(s) , as appropriate. ISC uses the CVSS calculator, a program of first.org and NIST, to determine the severity of potential security issues. We invite users to read more about our CVSS Scoring Guidelines in our Knowledgebase (https://kb.isc.org/docs/isc-cvss-scoring-guidelines).