From 037d8452669f94be1116a1076907fb3170141c85 Mon Sep 17 00:00:00 2001 From: Ben Scott Date: Tue, 9 Jun 2026 13:57:55 -0400 Subject: [PATCH 1/9] Use reference links for e-n-d and p-p --- .gitlab/issue_templates/Internal_use_only-CVE.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index cd8441b716..0e9f607e88 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -13,14 +13,16 @@ confidential! | Public Disclosure Date: | YYYY-MM-DD | | CVSS Score: | [0.0][cvss_score_url] | | CWE: | [CWE-NNN][cwe_category_url] | -| Earliest Notification: | support-team/earliest-notification-drafting!NNN | -| Security Advisory: | isc-private/printing-press!NNN | +| Earliest Notification: | [e-n-d!NNN][earliest_url] | +| Security Advisory: | [p-p!NNN][press_url] | | Zulip Topic: | [CVE-YYYY-NNNN][zulip_url] | | Support Ticket: | [URL] | | Release Checklist: | #NNNN | [cvss_score_url]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X&version=3.1 [cwe_category_url]: https://cwe.mitre.org/data/definitions/NNN.html +[earliest_url]: support-team/earliest-notification-drafting!NNN +[press_url]: isc-private/printing-press!NNN [zulip_url]: https://zulip.isc.org/#narrow/channel/4-bind9/topic/CVE-... :bulb: **Click [here][checklist_explanations] (internal resource) for general information about the security incident handling process.** From fdf91833b2f4410d23dd16a057a16e2a66220b48 Mon Sep 17 00:00:00 2001 From: Ben Scott Date: Tue, 9 Jun 2026 14:17:28 -0400 Subject: [PATCH 2/9] Zulip URL to bind-incidents channel --- .gitlab/issue_templates/Internal_use_only-CVE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index 0e9f607e88..10433a1ecd 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -23,7 +23,7 @@ confidential! [cwe_category_url]: https://cwe.mitre.org/data/definitions/NNN.html [earliest_url]: support-team/earliest-notification-drafting!NNN [press_url]: isc-private/printing-press!NNN -[zulip_url]: https://zulip.isc.org/#narrow/channel/4-bind9/topic/CVE-... +[zulip_url]: https://zulip.isc.org/#narrow/channel/41-bind9-incidents/topic/XXXXX :bulb: **Click [here][checklist_explanations] (internal resource) for general information about the security incident handling process.** From 6200f7eeb90796e6cff99a0ebe504f16ff9551f4 Mon Sep 17 00:00:00 2001 From: Ben Scott Date: Tue, 9 Jun 2026 15:27:53 -0400 Subject: [PATCH 3/9] Make table narrower Drop some unneccesary words to make it narrower. Makes it a little easier to work with, and a little easier to read quickly. --- .../issue_templates/Internal_use_only-CVE.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index 10433a1ecd..7eb108c442 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -6,18 +6,18 @@ if it involves an assertion failure or other crash in `named` that can be triggered repeatedly - then please make sure that you make the new issue confidential! --> -| How to? | Click on [:grey_question:][checklist_explanations] for each step | -| ------------------------ | ---------------------------------------------------------------------- | -| Incident Manager: | @user (assigned SwEng person) [:grey_question:][step_incident_manager] | -| Multi-vendor? | :question: Yes/No? [:grey_question:][step_coordinate_cve_id] | -| Public Disclosure Date: | YYYY-MM-DD | -| CVSS Score: | [0.0][cvss_score_url] | -| CWE: | [CWE-NNN][cwe_category_url] | -| Earliest Notification: | [e-n-d!NNN][earliest_url] | -| Security Advisory: | [p-p!NNN][press_url] | -| Zulip Topic: | [CVE-YYYY-NNNN][zulip_url] | -| Support Ticket: | [URL] | -| Release Checklist: | #NNNN | +| How to? | Click on [:grey_question:][checklist_explanations] for each step | +| ------------------ | ---------------------------------------------------------------------- | +| Incident Manager: | @user (assigned SwEng person) [:grey_question:][step_incident_manager] | +| Multi-vendor? | :question: Yes/No? [:grey_question:][step_coordinate_cve_id] | +| Public Disclosure: | YYYY-MM-DD | +| CVSS Score: | [0.0][cvss_score_url] | +| CWE: | [CWE-NNN][cwe_category_url] | +| Earliest EVN: | [e-n-d!NNN][earliest_url] | +| Security Advisory: | [p-p!NNN][press_url] | +| Zulip Topic: | [CVE-YYYY-NNNN][zulip_url] | +| Support Ticket: | [URL] | +| Release Checklist: | #NNNN | [cvss_score_url]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X&version=3.1 [cwe_category_url]: https://cwe.mitre.org/data/definitions/NNN.html From 62c10ec450c75cb5c8cb10d185d9d05bcb8f221f Mon Sep 17 00:00:00 2001 From: Ben Scott Date: Tue, 9 Jun 2026 15:30:10 -0400 Subject: [PATCH 4/9] Clearer links to instructions, at top I think this gets lost as part of the table header. Maybe that's just me. --- .gitlab/issue_templates/Internal_use_only-CVE.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index 7eb108c442..a848794520 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -6,7 +6,12 @@ if it involves an assertion failure or other crash in `named` that can be triggered repeatedly - then please make sure that you make the new issue confidential! --> -| How to? | Click on [:grey_question:][checklist_explanations] for each step | + +[checklist_explanations]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations + +⏩ **Each [:grey_question:][checklist_explanations] is a link to [explainations of each checklist step][checklist_explanations].** ⏪ + +| Quick Links | | | ------------------ | ---------------------------------------------------------------------- | | Incident Manager: | @user (assigned SwEng person) [:grey_question:][step_incident_manager] | | Multi-vendor? | :question: Yes/No? [:grey_question:][step_coordinate_cve_id] | @@ -25,12 +30,6 @@ confidential! [press_url]: isc-private/printing-press!NNN [zulip_url]: https://zulip.isc.org/#narrow/channel/41-bind9-incidents/topic/XXXXX -:bulb: **Click [here][checklist_explanations] (internal resource) for general information about the security incident handling process.** - -:question: Not sure about something? Ask! - -[checklist_explanations]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations - ### Before Code Freeze - [ ] [:grey_question:][step_respond] **(SwEng)** Respond to the bug reporter From 74e3e7f75614352f888439f0ba9c2654e5410a9b Mon Sep 17 00:00:00 2001 From: Ben Scott Date: Tue, 9 Jun 2026 15:31:44 -0400 Subject: [PATCH 5/9] Add TOC and section headings These can make navigation much easier, when the original report is large. --- .gitlab/issue_templates/Internal_use_only-CVE.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index a848794520..80e29e064c 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -7,11 +7,15 @@ triggered repeatedly - then please make sure that you make the new issue confidential! --> +[TOC] + +## Quick Links + [checklist_explanations]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations ⏩ **Each [:grey_question:][checklist_explanations] is a link to [explainations of each checklist step][checklist_explanations].** ⏪ -| Quick Links | | +| | | | ------------------ | ---------------------------------------------------------------------- | | Incident Manager: | @user (assigned SwEng person) [:grey_question:][step_incident_manager] | | Multi-vendor? | :question: Yes/No? [:grey_question:][step_coordinate_cve_id] | @@ -30,6 +34,8 @@ confidential! [press_url]: isc-private/printing-press!NNN [zulip_url]: https://zulip.isc.org/#narrow/channel/41-bind9-incidents/topic/XXXXX +## CVE Checklist + ### Before Code Freeze - [ ] [:grey_question:][step_respond] **(SwEng)** Respond to the bug reporter @@ -125,4 +131,6 @@ confidential! [step_evn_clear]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#update-the-tickets-in-the-evn-queues-in-rt-that-the-embargo-is-lifted [step_customers]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-that-a-ticket-has-been-sent-in-the-appropriate-announce-queue-in-rt-to-notify-customers-that-the-release-is-published-as-outlined-in-the-release-checklist +## Original Report + /confidential From a026d31095a29a99c396b1fe3e380f3467120a22 Mon Sep 17 00:00:00 2001 From: Ben Scott Date: Wed, 10 Jun 2026 13:08:32 -0400 Subject: [PATCH 6/9] CVE and CVSS+CWE as separate steps "Assigning CVE" and "Assigning CVSS+CWE" are really two different steps. CVE is bookeeping; we just request the ID and type it in. CVSS and CWE require a judgement determination, and often involve discussion. At the same time, sometimes we forget to put the CVE ID in right away. Since we already have a separate step for CVE assignment, let's put "update the issue with the CVE ID" in that step, too. Then the second step can be entirely about CVSS+CWE. Same number of steps, just clearer separation of what the steps are about. --- .gitlab/issue_templates/Internal_use_only-CVE.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index 80e29e064c..d4c1391155 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -41,8 +41,8 @@ confidential! - [ ] [:grey_question:][step_respond] **(SwEng)** Respond to the bug reporter - [ ] [:grey_question:][step_public_mrs] **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue - [ ] [:grey_question:][step_coordinate_cve_id] **(SwEng)** Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary) - - [ ] [:grey_question:][step_assign_cve_id] **(SwEng)** Assign a CVE identifier - - [ ] [:grey_question:][step_note_cve_info] **(SwEng)** Update this issue with the assigned CVE identifier, the CVSS score, and the CWE category + - [ ] [:grey_question:][step_assign_cve_id] **(SwEng)** Assign a CVE identifier, and update the GitLab Issue with it + - [ ] [:grey_question:][step_note_cve_info] **(SwEng)** Determine CVSS score and CWE category, and update the GitLab Issue with them - [ ] [:grey_question:][step_versions_affected] **(SwEng)** Determine the branches of product versions affected (including the Subscription Edition and supported EOL versions) - [ ] [:grey_question:][step_earliest_prepare] **(Support)** Prepare "earliest" notification text - [ ] [:grey_question:][step_earliest_send] **(Support)** Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers From 4fac2a92db4d41a481c8e899bb24c378f801ea54 Mon Sep 17 00:00:00 2001 From: Ben Scott Date: Wed, 10 Jun 2026 15:56:00 -0400 Subject: [PATCH 7/9] Explicit sub-steps for assessing -S and EOL For the step where we assess which product versions/branches are vulnerable to the flaw, add explicit subordinate steps for assessing Special Subscriber -S Preview edition, and end-of-life versions that are still received paid fixes. While we have GitLab labels to indicate affected versions, there is no satisfactory mechanism in place to indicate that assessment of all versions is complete, and thus anything not labeled as affected can be considered immune. Explicit checklist steps will allow others to see when assessment is complete. Per the following discussions: https://zulip.isc.org/#narrow/channel/4-bind9/topic/Unaffected.20labels.20for.20vulnerability.20issues/near/25643 https://zulip.isc.org/#narrow/channel/4-bind9/topic/CVE.20checklist.20updates/near/26307 --- .gitlab/issue_templates/Internal_use_only-CVE.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index d4c1391155..0a3960ceba 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -43,7 +43,9 @@ confidential! - [ ] [:grey_question:][step_coordinate_cve_id] **(SwEng)** Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary) - [ ] [:grey_question:][step_assign_cve_id] **(SwEng)** Assign a CVE identifier, and update the GitLab Issue with it - [ ] [:grey_question:][step_note_cve_info] **(SwEng)** Determine CVSS score and CWE category, and update the GitLab Issue with them - - [ ] [:grey_question:][step_versions_affected] **(SwEng)** Determine the branches of product versions affected (including the Subscription Edition and supported EOL versions) + - [ ] [:grey_question:][step_versions_affected] **(SwEng)** Determine product branches/versions affected + - [ ] **(SwEng)** Including Subscription Edition(s) + - [ ] **(SwEng)** Including EOL version(s) receiving paid support - [ ] [:grey_question:][step_earliest_prepare] **(Support)** Prepare "earliest" notification text - [ ] [:grey_question:][step_earliest_send] **(Support)** Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers - [ ] [:grey_question:][step_advisory_mr] **(Support)** Create a merge request for the Security Advisory and include all readily available information in it From eb2c53379929d19201724e73f8ec499206e9aff4 Mon Sep 17 00:00:00 2001 From: Ben Scott Date: Wed, 10 Jun 2026 15:58:35 -0400 Subject: [PATCH 8/9] Fix typo Learn to spell, Ben. --- .gitlab/issue_templates/Internal_use_only-CVE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index 0a3960ceba..8b5c1451fa 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -13,7 +13,7 @@ confidential! [checklist_explanations]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations -⏩ **Each [:grey_question:][checklist_explanations] is a link to [explainations of each checklist step][checklist_explanations].** ⏪ +⏩ **Each [:grey_question:][checklist_explanations] is a link to [explanations of each checklist step][checklist_explanations].** ⏪ | | | | ------------------ | ---------------------------------------------------------------------- | From 485d750ae90252e75be8410b4c50bb86bb223875 Mon Sep 17 00:00:00 2001 From: Ben Scott Date: Wed, 10 Jun 2026 16:09:24 -0400 Subject: [PATCH 9/9] Clarify EVN steps Support has to prepare and send EVN/Advisory texts. Clarify what is done, when, and using which tool. --- .gitlab/issue_templates/Internal_use_only-CVE.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index 8b5c1451fa..75aac2933d 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -46,9 +46,9 @@ confidential! - [ ] [:grey_question:][step_versions_affected] **(SwEng)** Determine product branches/versions affected - [ ] **(SwEng)** Including Subscription Edition(s) - [ ] **(SwEng)** Including EOL version(s) receiving paid support - - [ ] [:grey_question:][step_earliest_prepare] **(Support)** Prepare "earliest" notification text - - [ ] [:grey_question:][step_earliest_send] **(Support)** Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers - - [ ] [:grey_question:][step_advisory_mr] **(Support)** Create a merge request for the Security Advisory and include all readily available information in it + - [ ] [:grey_question:][step_earliest_prepare] **(Support)** Prepare text for Earliest EVN notification in e-n-d + - [ ] [:grey_question:][step_earliest_send] **(Support)** Send Earliest EVN notification in RT + - [ ] [:grey_question:][step_advisory_mr] **(Support)** Begin preparing the Security Advisory in printing-press - [ ] [:grey_question:][step_reproducer] **(SwEng)** Prepare a private merge request containing a system test reproducing the problem - [ ] [:grey_question:][step_notify_support] **(SwEng)** Notify Support when a reproducer is ready - [ ] [:grey_question:][step_code_analysis] **(SwEng)** Prepare a detailed explanation of the code flow triggering the problem @@ -57,7 +57,7 @@ confidential! - [ ] [:grey_question:][step_review_docs] **(Support)** Review the documentation changes introduced by the merge request with the fix - [ ] [:grey_question:][step_backports] **(SwEng)** Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product - [ ] [:grey_question:][step_merge_fixes] **(SwEng)** Merge the CVE fixes and reproducer when they get approved - - [ ] [:grey_question:][step_finish_advisory] **(Support)** Finish preparing the Security Advisory + - [ ] [:grey_question:][step_finish_advisory] **(Support)** Finish preparing the Security Advisory in printing-press - [ ] [:grey_question:][step_meta_issue] **(QA)** Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle - [ ] [:grey_question:][step_coordinate_check] **(SwEng)** Make sure other vendors are able to release on the date that was previously agreed upon