Security Vulnerabilities

Reporting a security vulnerability

If you suspect you have found a security defect in BIND or DHCP, or if you wish to inquire about a security issue that you have learned about which has not yet been publicly announced, ISC encourages you to get in touch with our Security Officer by selecting the appropriate pull-down on the Bug Report Form.

Alternatively, you can email us at  However, plain-text e-mail is not a secure choice for communications concerning undisclosed security issues so we ask that you please encrypt your communications to us using the ISC Security Officer public key.

Learn more about Security Vulnerability Disclosure Policy at

Reporting a Bug that is NOT a security vulnerability

  • Please report bugs in BIND 9 by opening an issue in our BIND Gitlab.
  • Please report bugs in Kea at our Kea Trac instance.
  • You may report DHCP bugs, or request features by using the Bug Report Form. You may also use email, if you prefer, by contacting us at

Ensuring you are not running software with a known vulnerability

For listing of security vulnerabilities about BIND 9, visit ISC’s Knowledge Base’s BIND 9 Vulnerabilities Matrix.

To be notified of any new discovered vulnerabilities, you can either subscribe for BIND Basic support, which entitles you to advance notification of security vulnerabilities via a secure one-way support queue, or you can follow ISC security notices by subscribing to the BIND-Announce mailing list.

ISC uses the CVSS, a program of and NIST, to determine the severity of potential security issues.


Last modified: October 29, 2018 at 7:50 am