... | ... | @@ -10,12 +10,14 @@ Notifications are received by the BIND Engineering Team members. We engage resou |
|
|
|
|
|
## Issue severity
|
|
|
|
|
|
We will determine the risk of each issue, taking into account our experience dealing with past issues, versions affected, common defaults, and use cases. We use the following severity categories:
|
|
|
We will determine the risk of each issue, taking into account our experience dealing with past issues, versions affected, common defaults, and use cases. We use [Common Vulnerability Scoring System v3.0](https://www.first.org/cvss/specification-document) to assess the severity of the security vulnerability as a rough guide for the vulnerability classification.
|
|
|
|
|
|
* **CRITICAL** Severity. This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.
|
|
|
* **HIGH** Severity. This includes issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control.
|
|
|
* **MEDIUM** Severity. This includes issues like crashes in client applications, flaws in protocols that are less commonly used, and local flaws. These will in general be kept private until the next release, and that release will be scheduled so that it can roll up several such flaws at one time.
|
|
|
* **LOW** Severity. This includes issues such as those that only affect the BIND 9 command line utility, unlikely configurations, or hard to exploit attacks. These will in general be fixed immediately in latest development versions, and may be backported to older versions that are still getting updates. We will update the vulnerabilities page and note the issue CVE in the changelog and commit message, but they may not trigger new releases.
|
|
|
We use the following severity categories:
|
|
|
|
|
|
* **CRITICAL** Severity *(CVSS Score 9.0 - 10.0)*. This affects common configurations and which are also likely to be exploitable. Examples include significant disclosure of the contents of server memory (potentially revealing user details), vulnerabilities which can be easily exploited remotely to compromise server or where remote code execution is considered likely in common situations. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to address these as soon as possible.
|
|
|
* **HIGH** Severity *(CVSS Score 7.0 - 8.9)*. This includes issues that are of a lower risk than critical, perhaps due to affecting less common configurations, or which are less likely to be exploitable. These issues will be kept private and will trigger a new release of all supported versions. We will attempt to keep the time these issues are private to a minimum; our aim would be no longer than a month where this is something under our control.
|
|
|
* **MEDIUM** Severity *(CVSS Score 4.0 - 6.9)*. This includes issues like crashes in client applications, flaws in protocols that are less commonly used, and local flaws. These will in general be kept private until the next release, and that release will be scheduled so that it can roll up several such flaws at one time.
|
|
|
* **LOW** Severity *(CVSS Score 0.1 - 3.9)*. This includes issues such as those that only affect the BIND 9 command line utility, unlikely configurations, or hard to exploit attacks. These will in general be fixed immediately in latest development versions, and may be backported to older versions that are still getting updates. We will update the vulnerabilities page and note the issue CVE in the changelog and commit message, but they may not trigger new releases.
|
|
|
|
|
|
## Prenotification policy
|
|
|
|
... | ... | |