• Experimenting with a new practice for pre-announcing vulnerabilitydisclosures

    From Michael McNally@mcnally@isc.org to bind-users on Thu May 14 00:35:43 2020
    From Newsgroup: comp.protocols.dns.bind

    Hey BIND-users,
    I hope that most of you are already subscribed to the bind-announce list.
    But for those who are not, bind-announce is another public list operated
    by Internet Systems Consortium. It is a low-traffic list which ISC staff
    use to make announcements concerning the BIND project -- most frequently
    about the release of new versions of BIND or occasionally when we disclose a serious security vulnerability. You can subscribe by going to: https://lists.isc.org
    The reason I bring it up is that ISC is experimenting with a new practice
    to extend our Security Vulnerability Disclosure Process. After observing
    this practice being used successfully by other open-source projects, we
    have modified our disclosure policy to allow us to (optionally) make a
    limited pre-announcement giving a "heads up" a few days before a public disclosure occurs.
    Such pre-announcements, should they occur, will be posted to the bind-announce list and you can see the first example of one in the list archives even if
    you are not a subscriber:
    https://lists.isc.org/pipermail/bind-announce/2020-May/001153.html
    Michael McNally
    ISC Support
    --- Synchronet 3.18a-Linux NewsLink 1.113