Skip to content

Rework the Security Incident Handling Checklist

This merge request is intended to serve as a focal point for discussing the proposed revisions to the Security Incident Handling Checklist at ISC.

If you wish to provide your feedback, please switch to the "Changes" tab and add context comments by clicking on the "Comment" icon after hovering your mouse over a specific GREEN line and then entering the comment text. This helps with keeping track of the open discussions. (The lines in red are the lines that will get removed from the current checklist. Please ignore those.)

For your convenience, below is a preview of how a sample security incident handling checklist would look like if this merge requests gets accepted. The idea is to prepend this checklist to the description of each GitLab issue describing a security vulnerability.


Quick Links 🔗
Incident Manager: @user
Deputy Incident Manager: @user
Public Disclosure Date: YYYY-MM-DD
CVSS Score: 0.0
Security Advisory: isc-private/printing-press!NNN
Mattermost Channel: CVE-YYYY-NNNN
Support Ticket: [URL]
Release Checklist: #NNNN
Post-mortem Etherpad: [postmortem-YYYY-MM][postmortem_url]

💡 Click here (internal resource) for general information about the security incident handling process.

Earlier Than T-5

  • 🔗 (IM) Pick a Deputy Incident Manager
  • 🔗 (IM) Respond to the bug reporter
  • 🔗 (IM) Create an Etherpad for post-mortem
  • 🔗 (SwEng) Ensure there are no public merge requests which inadvertently disclose the issue
  • 🔗 (IM) Assign a CVE identifier
  • 🔗 (SwEng) Update this issue with the assigned CVE identifier and the CVSS score
  • 🔗 (SwEng) Determine the range of product versions affected (including the Subscription Edition)
  • 🔗 (SwEng) Determine whether workarounds for the problem exist
  • 🔗 (SwEng) If necessary, coordinate with other parties
  • 🔗 (Support) Prepare and send out "earliest" notifications
  • 🔗 (Support) Create a merge request for the Security Advisory and include all readily available information in it
  • 🔗 (SwEng) Prepare a private merge request containing a system test reproducing the problem
  • 🔗 (SwEng) Notify Support when a reproducer is ready
  • 🔗 (SwEng) Prepare a detailed explanation of the code flow triggering the problem
  • 🔗 (SwEng) Prepare a private merge request with the fix
  • 🔗 (SwEng) Ensure the merge request with the fix is reviewed and has no outstanding discussions
  • 🔗 (Support) Review the documentation changes introduced by the merge request with the fix
  • 🔗 (SwEng) Prepare backports of the merge request addressing the problem for all affected (and still maintained) branches of a given product
  • 🔗 (Support) Finish preparing the Security Advisory
  • 🔗 (QA) Create (or update) the private issue containing links to fixes & reproducers for all CVEs fixed in a given release cycle
  • 🔗 (QA) (BIND 9 only) Reserve a block of CHANGES placeholders once the complete set of vulnerabilities fixed in a given release cycle is determined
  • 🔗 (QA) Merge the CVE fixes in CVE identifier order
  • 🔗 (QA) Prepare a standalone patch for the last stable release of each affected (and still maintained) product branch
  • 🔗 (QA) Prepare ASN releases (as outlined in the Release Checklist)

At T-5

  • 🔗 (Support) Send ASN to eligible customers
  • 🔗 (Support) (BIND 9 only) Send a pre-announcement email to the bind-announce mailing list to alert users that the upcoming release will include security fixes

At T-4

  • 🔗 (Support) Verify that all ASN-eligible customers have received the notification email

At T-1

  • 🔗 (Support) Verify that any new or reinstated customers have received the notification email
  • 🔗 (First IM) Send notifications to OS packagers

On the Day of Public Disclosure

  • 🔗 (IM) Grant Support clearance to proceed with public release
  • 🔗 (Support) Publish the releases (as outlined in the release checklist)
  • 🔗 (Support) (BIND 9 only) Update vulnerability matrix in the Knowledge Base
  • 🔗 (Support) Bump Document Version for the Security Advisory and publish it in the Knowledge Base
  • 🔗 (First IM) Send notification emails to third parties
  • 🔗 (First IM) Advise MITRE about the disclosed CVEs
  • 🔗 (First IM) Merge the Security Advisory merge request
  • 🔗 (IM) Inform original reporter (if external) that the security disclosure process is complete
  • 🔗 (Support) Inform customers a fix has been released

After Public Disclosure

  • 🔗 (First IM) Organize post-mortem meeting and make sure it happens
  • 🔗 (Support) Close support tickets
  • 🔗 (QA) Merge a regression test reproducing the bug into all affected (and still maintained) branches
Edited by Michał Kępień

Merge request reports