From 0435955750e2b5f583812e746d3226213d546e80 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Fri, 5 Jun 2026 12:45:54 +0200 Subject: [PATCH 1/9] Deputy Incident Manager is not in use anymore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Deemend too much of overhead by Ondřej Surý. --- .gitlab/issue_templates/Internal_use_only-CVE.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index 8f5417055b..9444ef852c 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -9,7 +9,6 @@ confidential! | Quick Links | :link: | | ------------------------ | ----------------------------------------------- | | Incident Manager: | @user | -| Deputy Incident Manager: | @user | | Public Disclosure Date: | YYYY-MM-DD | | CVSS Score: | [0.0][cvss_score_url] | | CWE: | [CWE-NNN][cwe_category_url] | @@ -29,7 +28,6 @@ confidential! ### Before Code Freeze - - [ ] [:link:][step_deputy] **(IM)** Pick a Deputy Incident Manager - [ ] [:link:][step_respond] **(IM)** Respond to the bug reporter - [ ] [:link:][step_public_mrs] **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue - [ ] [:link:][step_coordinate_cve_id] **(SwEng)** Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary) @@ -84,7 +82,6 @@ confidential! - [ ] [:link:][step_evn_clear] **(Support)** Update the tickets in the EVN queues in RT that the embargo is lifted - [ ] [:link:][step_customers] **(Marketing)** Ensure that a ticket has been sent in the appropriate announce queue in RT to notify customers that the release is published (as outlined in the release checklist) -[step_deputy]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#pick-a-deputy-incident-manager [step_respond]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#respond-to-the-bug-reporter [step_public_mrs]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-there-are-no-public-merge-requests-which-inadvertently-disclose-the-issue [step_coordinate_cve_id]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#check-if-we-need-to-coordinate-with-other-vendors-an-industry-wide-cve-identifier-might-be-necessary From 69b66b464bd3f376785d92a769cd50fa0e4b5066 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Fri, 5 Jun 2026 12:47:43 +0200 Subject: [PATCH 2/9] Incident Manager is now always the assigned SwEng person All Hands 2026 decision. --- .gitlab/issue_templates/Internal_use_only-CVE.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index 9444ef852c..e7ffe392e6 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -8,7 +8,7 @@ confidential! --> | Quick Links | :link: | | ------------------------ | ----------------------------------------------- | -| Incident Manager: | @user | +| Incident Manager: | @user (assigned SwEng person) | | Public Disclosure Date: | YYYY-MM-DD | | CVSS Score: | [0.0][cvss_score_url] | | CWE: | [CWE-NNN][cwe_category_url] | @@ -28,10 +28,10 @@ confidential! ### Before Code Freeze - - [ ] [:link:][step_respond] **(IM)** Respond to the bug reporter + - [ ] [:link:][step_respond] **(SwEng)** Respond to the bug reporter - [ ] [:link:][step_public_mrs] **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue - [ ] [:link:][step_coordinate_cve_id] **(SwEng)** Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary) - - [ ] [:link:][step_assign_cve_id] **(IM)** Assign a CVE identifier + - [ ] [:link:][step_assign_cve_id] **(SwEng)** Assign a CVE identifier - [ ] [:link:][step_note_cve_info] **(SwEng)** Update this issue with the assigned CVE identifier, the CVSS score, and the CWE category - [ ] [:link:][step_versions_affected] **(SwEng)** Determine the range of product versions affected (including the Subscription Edition) - [ ] [:link:][step_workarounds] **(SwEng)** Determine whether workarounds for the problem exist @@ -70,7 +70,7 @@ confidential! ### On the Day of Public Disclosure - - [ ] [:link:][step_clearance] **(IM)** Grant QA & Marketing clearance to proceed with public release + - [ ] [:link:][step_clearance] **(SwEng)** Grant QA & Marketing clearance to proceed with public release - [ ] [:link:][step_matrix] **(Support)** (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base - [ ] [:link:][step_bump_advisory] **(Support)** Bump Document Version for the Security Advisory in Printing Press - [ ] [:link:][step_publish_advisory] **(Support)** Publish the Security Advisory in the Knowledge Base @@ -78,7 +78,7 @@ confidential! - [ ] [:link:][step_notifications] **(First IM)** Send notification emails to third parties - [ ] [:link:][step_mitre] **(First IM)** Advise MITRE about the disclosed CVEs - [ ] [:link:][step_merge_advisory] **(First IM)** Merge the Security Advisory merge request - - [ ] [:link:][step_embargo_end] **(IM)** Inform original reporter (if external) that the security disclosure process is complete + - [ ] [:link:][step_embargo_end] **(SwEng)** Inform original reporter (if external) that the security disclosure process is complete - [ ] [:link:][step_evn_clear] **(Support)** Update the tickets in the EVN queues in RT that the embargo is lifted - [ ] [:link:][step_customers] **(Marketing)** Ensure that a ticket has been sent in the appropriate announce queue in RT to notify customers that the release is published (as outlined in the release checklist) From 0549d8355ddb8d5ecaac3cc76625a6309450d4b5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Fri, 5 Jun 2026 12:48:12 +0200 Subject: [PATCH 3/9] No need to determine workarounds All Hands 2026 decision. --- .gitlab/issue_templates/Internal_use_only-CVE.md | 1 - 1 file changed, 1 deletion(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index e7ffe392e6..62f2390b53 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -34,7 +34,6 @@ confidential! - [ ] [:link:][step_assign_cve_id] **(SwEng)** Assign a CVE identifier - [ ] [:link:][step_note_cve_info] **(SwEng)** Update this issue with the assigned CVE identifier, the CVSS score, and the CWE category - [ ] [:link:][step_versions_affected] **(SwEng)** Determine the range of product versions affected (including the Subscription Edition) - - [ ] [:link:][step_workarounds] **(SwEng)** Determine whether workarounds for the problem exist - [ ] [:link:][step_earliest_prepare] **(Support)** Prepare "earliest" notification text - [ ] [:link:][step_earliest_send] **(Support)** Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers - [ ] [:link:][step_advisory_mr] **(Support)** Create a merge request for the Security Advisory and include all readily available information in it From 2368f12451e56fe242c5106a2d90caba9bb86973 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Fri, 5 Jun 2026 12:48:47 +0200 Subject: [PATCH 4/9] Fixes must be merged ASAP into respective privat branch All Hands 2026 decision. --- .gitlab/issue_templates/Internal_use_only-CVE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index 62f2390b53..bdcd086748 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -44,13 +44,13 @@ confidential! - [ ] [:link:][step_review_fix] **(SwEng)** Ensure the merge request with the fix is reviewed and has no outstanding discussions - [ ] [:link:][step_review_docs] **(Support)** Review the documentation changes introduced by the merge request with the fix - [ ] [:link:][step_backports] **(SwEng)** Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product + - [ ] [:link:][step_merge_fixes] **(SwEng)** Merge the CVE fixes and reproducer when they get approved - [ ] [:link:][step_finish_advisory] **(Support)** Finish preparing the Security Advisory - [ ] [:link:][step_meta_issue] **(QA)** Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle - [ ] [:link:][step_coordinate_check] **(SwEng)** Make sure other vendors are able to release on the date that was previously agreed upon ### Earlier Than T-5 - - [ ] [:link:][step_merge_fixes] **(QA)** Merge the CVE fixes in CVE identifier order - [ ] [:link:][step_evn_releases] **(QA)** Prepare EVN releases (as outlined in the Release Checklist) ### At T-5 From 228890bca8bca0ed181653b84b5ef773f47c39df Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Fri, 5 Jun 2026 12:49:00 +0200 Subject: [PATCH 5/9] Draw attention to Multi-vendor issues --- .gitlab/issue_templates/Internal_use_only-CVE.md | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index bdcd086748..35f018f1ec 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -9,6 +9,7 @@ confidential! | Quick Links | :link: | | ------------------------ | ----------------------------------------------- | | Incident Manager: | @user (assigned SwEng person) | +| Multi-vendor? | :question: Yes/No? | | Public Disclosure Date: | YYYY-MM-DD | | CVSS Score: | [0.0][cvss_score_url] | | CWE: | [CWE-NNN][cwe_category_url] | From 852aebc85660ebeed4f5c26d7e9d15558ce18d1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Fri, 5 Jun 2026 09:07:17 +0200 Subject: [PATCH 6/9] Refer to Zulip instead of Mattermost We are using Zulip topic per CVE, not a separate channel anymore. --- .gitlab/issue_templates/Internal_use_only-CVE.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index 35f018f1ec..5f0cdf263a 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -15,13 +15,13 @@ confidential! | CWE: | [CWE-NNN][cwe_category_url] | | Earliest Notification: | support-team/earliest-notification-drafting!NNN | | Security Advisory: | isc-private/printing-press!NNN | -| Mattermost Channel: | [CVE-YYYY-NNNN][mattermost_url] | +| Zulip Topic: | [CVE-YYYY-NNNN][zulip_url] | | Support Ticket: | [URL] | | Release Checklist: | #NNNN | [cvss_score_url]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X&version=3.1 [cwe_category_url]: https://cwe.mitre.org/data/definitions/NNN.html -[mattermost_url]: https://mattermost.isc.org/isc/channels/cve-YYYY-NNNN +[zulip_url]: https://zulip.isc.org/#narrow/channel/4-bind9/topic/CVE-... :bulb: **Click [here][checklist_explanations] (internal resource) for general information about the security incident handling process.** From 2e51ad242972fe6a2d5ba617ff625e97f676f27f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Fri, 5 Jun 2026 11:09:18 +0200 Subject: [PATCH 7/9] Determine only which branches are affected No need to dig into history to find earliest version affected. --- .gitlab/issue_templates/Internal_use_only-CVE.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index 5f0cdf263a..8952af56fe 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -34,7 +34,7 @@ confidential! - [ ] [:link:][step_coordinate_cve_id] **(SwEng)** Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary) - [ ] [:link:][step_assign_cve_id] **(SwEng)** Assign a CVE identifier - [ ] [:link:][step_note_cve_info] **(SwEng)** Update this issue with the assigned CVE identifier, the CVSS score, and the CWE category - - [ ] [:link:][step_versions_affected] **(SwEng)** Determine the range of product versions affected (including the Subscription Edition) + - [ ] [:link:][step_versions_affected] **(SwEng)** Determine the branches of product versions affected (including the Subscription Edition) - [ ] [:link:][step_earliest_prepare] **(Support)** Prepare "earliest" notification text - [ ] [:link:][step_earliest_send] **(Support)** Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers - [ ] [:link:][step_advisory_mr] **(Support)** Create a merge request for the Security Advisory and include all readily available information in it From 98779002c0e84799150bef1ad8c45b4e3f51ab08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Fri, 5 Jun 2026 13:17:09 +0200 Subject: [PATCH 8/9] Make help resources more obvious A futile attempt to make people read the docs. --- .../issue_templates/Internal_use_only-CVE.md | 99 ++++++++++--------- 1 file changed, 50 insertions(+), 49 deletions(-) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index 8952af56fe..c56f34d57d 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -6,18 +6,18 @@ if it involves an assertion failure or other crash in `named` that can be triggered repeatedly - then please make sure that you make the new issue confidential! --> -| Quick Links | :link: | -| ------------------------ | ----------------------------------------------- | -| Incident Manager: | @user (assigned SwEng person) | -| Multi-vendor? | :question: Yes/No? | -| Public Disclosure Date: | YYYY-MM-DD | -| CVSS Score: | [0.0][cvss_score_url] | -| CWE: | [CWE-NNN][cwe_category_url] | -| Earliest Notification: | support-team/earliest-notification-drafting!NNN | -| Security Advisory: | isc-private/printing-press!NNN | -| Zulip Topic: | [CVE-YYYY-NNNN][zulip_url] | -| Support Ticket: | [URL] | -| Release Checklist: | #NNNN | +| How to? | Click on [:grey_question:][checklist_explanations] for each step | +| ------------------------ | ---------------------------------------------------------------------- | +| Incident Manager: | @user (assigned SwEng person) [:grey_question:][step_incident_manager] | +| Multi-vendor? | :question: Yes/No? [:grey_question:][step_coordinate_cve_id] | +| Public Disclosure Date: | YYYY-MM-DD | +| CVSS Score: | [0.0][cvss_score_url] | +| CWE: | [CWE-NNN][cwe_category_url] | +| Earliest Notification: | support-team/earliest-notification-drafting!NNN | +| Security Advisory: | isc-private/printing-press!NNN | +| Zulip Topic: | [CVE-YYYY-NNNN][zulip_url] | +| Support Ticket: | [URL] | +| Release Checklist: | #NNNN | [cvss_score_url]: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:X/AC:X/PR:X/UI:X/S:X/C:X/I:X/A:X&version=3.1 [cwe_category_url]: https://cwe.mitre.org/data/definitions/NNN.html @@ -29,59 +29,60 @@ confidential! ### Before Code Freeze - - [ ] [:link:][step_respond] **(SwEng)** Respond to the bug reporter - - [ ] [:link:][step_public_mrs] **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue - - [ ] [:link:][step_coordinate_cve_id] **(SwEng)** Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary) - - [ ] [:link:][step_assign_cve_id] **(SwEng)** Assign a CVE identifier - - [ ] [:link:][step_note_cve_info] **(SwEng)** Update this issue with the assigned CVE identifier, the CVSS score, and the CWE category - - [ ] [:link:][step_versions_affected] **(SwEng)** Determine the branches of product versions affected (including the Subscription Edition) - - [ ] [:link:][step_earliest_prepare] **(Support)** Prepare "earliest" notification text - - [ ] [:link:][step_earliest_send] **(Support)** Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers - - [ ] [:link:][step_advisory_mr] **(Support)** Create a merge request for the Security Advisory and include all readily available information in it - - [ ] [:link:][step_reproducer] **(SwEng)** Prepare a private merge request containing a system test reproducing the problem - - [ ] [:link:][step_notify_support] **(SwEng)** Notify Support when a reproducer is ready - - [ ] [:link:][step_code_analysis] **(SwEng)** Prepare a detailed explanation of the code flow triggering the problem - - [ ] [:link:][step_fix] **(SwEng)** Prepare a fix and push it as a separate commit to the merge request with the reproducer - - [ ] [:link:][step_review_fix] **(SwEng)** Ensure the merge request with the fix is reviewed and has no outstanding discussions - - [ ] [:link:][step_review_docs] **(Support)** Review the documentation changes introduced by the merge request with the fix - - [ ] [:link:][step_backports] **(SwEng)** Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product - - [ ] [:link:][step_merge_fixes] **(SwEng)** Merge the CVE fixes and reproducer when they get approved - - [ ] [:link:][step_finish_advisory] **(Support)** Finish preparing the Security Advisory - - [ ] [:link:][step_meta_issue] **(QA)** Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle - - [ ] [:link:][step_coordinate_check] **(SwEng)** Make sure other vendors are able to release on the date that was previously agreed upon + - [ ] [:grey_question:][step_respond] **(SwEng)** Respond to the bug reporter + - [ ] [:grey_question:][step_public_mrs] **(SwEng)** Ensure there are no public merge requests which inadvertently disclose the issue + - [ ] [:grey_question:][step_coordinate_cve_id] **(SwEng)** Check if we need to coordinate with other vendors (an industry-wide CVE identifier might be necessary) + - [ ] [:grey_question:][step_assign_cve_id] **(SwEng)** Assign a CVE identifier + - [ ] [:grey_question:][step_note_cve_info] **(SwEng)** Update this issue with the assigned CVE identifier, the CVSS score, and the CWE category + - [ ] [:grey_question:][step_versions_affected] **(SwEng)** Determine the branches of product versions affected (including the Subscription Edition) + - [ ] [:grey_question:][step_earliest_prepare] **(Support)** Prepare "earliest" notification text + - [ ] [:grey_question:][step_earliest_send] **(Support)** Update "earliest" notification ticket in support portal Earliest queue which will notify earliest customers + - [ ] [:grey_question:][step_advisory_mr] **(Support)** Create a merge request for the Security Advisory and include all readily available information in it + - [ ] [:grey_question:][step_reproducer] **(SwEng)** Prepare a private merge request containing a system test reproducing the problem + - [ ] [:grey_question:][step_notify_support] **(SwEng)** Notify Support when a reproducer is ready + - [ ] [:grey_question:][step_code_analysis] **(SwEng)** Prepare a detailed explanation of the code flow triggering the problem + - [ ] [:grey_question:][step_fix] **(SwEng)** Prepare a fix and push it as a separate commit to the merge request with the reproducer + - [ ] [:grey_question:][step_review_fix] **(SwEng)** Ensure the merge request with the fix is reviewed and has no outstanding discussions + - [ ] [:grey_question:][step_review_docs] **(Support)** Review the documentation changes introduced by the merge request with the fix + - [ ] [:grey_question:][step_backports] **(SwEng)** Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product + - [ ] [:grey_question:][step_merge_fixes] **(SwEng)** Merge the CVE fixes and reproducer when they get approved + - [ ] [:grey_question:][step_finish_advisory] **(Support)** Finish preparing the Security Advisory + - [ ] [:grey_question:][step_meta_issue] **(QA)** Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle + - [ ] [:grey_question:][step_coordinate_check] **(SwEng)** Make sure other vendors are able to release on the date that was previously agreed upon ### Earlier Than T-5 - - [ ] [:link:][step_evn_releases] **(QA)** Prepare EVN releases (as outlined in the Release Checklist) + - [ ] [:grey_question:][step_evn_releases] **(QA)** Prepare EVN releases (as outlined in the Release Checklist) ### At T-5 - - [ ] [:link:][step_evn_links] **(Marketing)** (BIND 9 only) Update the BIND -S [ticket](https://techsupport.isc.org/Ticket/Display.html?id=23796) in the support portal with download links to the new versions - - [ ] [:link:][step_evn_send_t_5] **(Support)** Notify eligible customers by adding a ticket to the 5-Day queue in RT with the text of the advisory (earliest, and T-5) - - [ ] [:link:][step_preannouncement] **(Marketing)** Send a pre-announcement email to the appropriate *-announce* mailing list to alert users that the upcoming release will include security fixes + - [ ] [:grey_question:][step_evn_links] **(Marketing)** (BIND 9 only) Update the BIND -S [ticket](https://techsupport.isc.org/Ticket/Display.html?id=23796) in the support portal with download links to the new versions + - [ ] [:grey_question:][step_evn_send_t_5] **(Support)** Notify eligible customers by adding a ticket to the 5-Day queue in RT with the text of the advisory (earliest, and T-5) + - [ ] [:grey_question:][step_preannouncement] **(Marketing)** Send a pre-announcement email to the appropriate *-announce* mailing list to alert users that the upcoming release will include security fixes ### At T-3 - - [ ] [:link:][step_evn_send_t_3] **(Support)** Notify eligible customers by adding a ticket to the 3-Day queue in RT with the text of the advisory (T-3) + - [ ] [:grey_question:][step_evn_send_t_3] **(Support)** Notify eligible customers by adding a ticket to the 3-Day queue in RT with the text of the advisory (T-3) ### At T-1 - - [ ] [:link:][step_packager_emails] **(First IM)** Send notifications to OS packagers + - [ ] [:grey_question:][step_packager_emails] **(First IM)** Send notifications to OS packagers ### On the Day of Public Disclosure - - [ ] [:link:][step_clearance] **(SwEng)** Grant QA & Marketing clearance to proceed with public release - - [ ] [:link:][step_matrix] **(Support)** (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base - - [ ] [:link:][step_bump_advisory] **(Support)** Bump Document Version for the Security Advisory in Printing Press - - [ ] [:link:][step_publish_advisory] **(Support)** Publish the Security Advisory in the Knowledge Base - - [ ] [:link:][step_publish] **(QA/Marketing)** Publish the releases (as outlined in the release checklist) - - [ ] [:link:][step_notifications] **(First IM)** Send notification emails to third parties - - [ ] [:link:][step_mitre] **(First IM)** Advise MITRE about the disclosed CVEs - - [ ] [:link:][step_merge_advisory] **(First IM)** Merge the Security Advisory merge request - - [ ] [:link:][step_embargo_end] **(SwEng)** Inform original reporter (if external) that the security disclosure process is complete - - [ ] [:link:][step_evn_clear] **(Support)** Update the tickets in the EVN queues in RT that the embargo is lifted - - [ ] [:link:][step_customers] **(Marketing)** Ensure that a ticket has been sent in the appropriate announce queue in RT to notify customers that the release is published (as outlined in the release checklist) + - [ ] [:grey_question:][step_clearance] **(SwEng)** Grant QA & Marketing clearance to proceed with public release + - [ ] [:grey_question:][step_matrix] **(Support)** (BIND 9 only) Add the new CVEs to the vulnerability matrix in the Knowledge Base + - [ ] [:grey_question:][step_bump_advisory] **(Support)** Bump Document Version for the Security Advisory in Printing Press + - [ ] [:grey_question:][step_publish_advisory] **(Support)** Publish the Security Advisory in the Knowledge Base + - [ ] [:grey_question:][step_publish] **(QA/Marketing)** Publish the releases (as outlined in the release checklist) + - [ ] [:grey_question:][step_notifications] **(First IM)** Send notification emails to third parties + - [ ] [:grey_question:][step_mitre] **(First IM)** Advise MITRE about the disclosed CVEs + - [ ] [:grey_question:][step_merge_advisory] **(First IM)** Merge the Security Advisory merge request + - [ ] [:grey_question:][step_embargo_end] **(SwEng)** Inform original reporter (if external) that the security disclosure process is complete + - [ ] [:grey_question:][step_evn_clear] **(Support)** Update the tickets in the EVN queues in RT that the embargo is lifted + - [ ] [:grey_question:][step_customers] **(Marketing)** Ensure that a ticket has been sent in the appropriate announce queue in RT to notify customers that the release is published (as outlined in the release checklist) +[step_incident_manager]: https://gitlab.isc.org/isc-private/bind9/-/wikis/Initial-Handling-of-(Potential)-Security-Issues [step_respond]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#respond-to-the-bug-reporter [step_public_mrs]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#ensure-there-are-no-public-merge-requests-which-inadvertently-disclose-the-issue [step_coordinate_cve_id]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations#check-if-we-need-to-coordinate-with-other-vendors-an-industry-wide-cve-identifier-might-be-necessary From 3d17c2e03eecfcd1800225226377b521b2d17843 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Fri, 5 Jun 2026 13:34:35 +0200 Subject: [PATCH 9/9] Try to encourage people to ask Better than stalling the process when unsure. Let's see if it helps. --- .gitlab/issue_templates/Internal_use_only-CVE.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitlab/issue_templates/Internal_use_only-CVE.md b/.gitlab/issue_templates/Internal_use_only-CVE.md index c56f34d57d..e24fc84ddf 100644 --- a/.gitlab/issue_templates/Internal_use_only-CVE.md +++ b/.gitlab/issue_templates/Internal_use_only-CVE.md @@ -25,6 +25,8 @@ confidential! :bulb: **Click [here][checklist_explanations] (internal resource) for general information about the security incident handling process.** +:question: Not sure about something? Ask! + [checklist_explanations]: https://gitlab.isc.org/isc-private/isc-wiki/-/wikis/Security-Incident-Handling-Checklist-Explanations ### Before Code Freeze