Reporting Security Vulnerabilities

Securing ISC's open source software

If you suspect you have found a security defect in BIND 9, ISC DHCP, or Kea DHCP, or if you wish to inquire about a security issue that you have learned about which has not yet been publicly announced, please contact our Security Officer via email at However, plain-text e-mail is not a secure choice for communications concerning undisclosed security issues, so we ask that you please encrypt your communications to us using the ISC Security Officer public key.

More information is available about How to Submit a Bug Report.

Learn more about ISC’s Software Defect and Security Vulnerability Disclosure Policy.

If you believe you have found a security vulnerability that applies to DNS implementations generally, and you want to report this responsibly to a number of implementers, you might consider also using the Open Source DNS Vulnerability mailing list, managed by DNS-OARC.

Reporting a Bug That Is NOT a Security Vulnerability

Ensuring You Are Not Running Software With a Known Vulnerability

For a listing of security vulnerabilities in BIND 9, please see the BIND 9 Security Vulnerability Matrix in ISC’s Knowledgebase. Kea and ISC DHCP CVEs are also available in our Knowledgebase.

To ensure that you are notified of any new discovered vulnerabilities, you should become an ISC support subscriber, which entitles you to advance notification of security vulnerabilities via a secure, private support queue.

You can also follow ISC security notices by subscribing to one of our mailing lists. Please subscribe to the BIND-announce, Kea-announce, and/or DHCP-announce list(s), as appropriate.

ISC uses the CVSS calculator, a program of and NIST, to determine the severity of potential security issues.