Move security-related information to SECURITY.md

kempniu · kempniu · commit ca9fed91431e · 2023-09-04T11:54:57.000+02:00
To follow current best practices, create a short SECURITY.md file in the
root of the repository that contains information about the project's
security policy and guidelines for reporting potential security issues.
Replace the relevant bits of text in other files with references to the
new SECURITY.md file, so that the relevant information only needs to be
maintained in one place.

Replace all occurrences of the generic security-officer@isc.org email
with a dedicated address for reporting BIND 9 security issues,
bind-security@isc.org.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -102,22 +102,7 @@ Twitter, or Facebook.
 
 ### Reporting possible security issues
 
-If you think you may be seeing a potential security vulnerability in BIND
-(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
-report it immediately by emailing to security-officer@isc.org. Plain-text
-e-mail is not a secure choice for communications concerning undisclosed
-security issues so please encrypt your communications to us if possible,
-using the [ISC Security Officer public key](https://www.isc.org/pgpkey/).
-
-Do not discuss undisclosed security vulnerabilities on any public mailing list.
-ISC has a long history of handling reported vulnerabilities promptly and
-effectively and we respect and acknowledge responsible reporters.
-
-ISC's Security Vulnerability Disclosure Policy is documented at
-[https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
-
-If you have a crash, you may want to consult
-["What to do if your BIND or DHCP server has crashed."](https://kb.isc.org/docs/aa-00340)
+See `SECURITY.md`.
 
 ### <a name="contrib"></a>Contributing code
 
diff --git a/README.md b/README.md
@@ -74,17 +74,9 @@ contents of your configuration file in a non-confidential issue, it is
 advisable to obscure key secrets; this can be done automatically by
 using `named-checkconf -px`.
 
-If you are reporting a bug that is a potential security issue, such as an
-assertion failure or other crash in `named`, please do *NOT* use GitLab to
-report it. Instead, send mail to
-[security-officer@isc.org](mailto:security-officer@isc.org) using our
-OpenPGP key to secure your message. (Information about OpenPGP and links
-to our key can be found at
-[https://www.isc.org/pgpkey](https://www.isc.org/pgpkey).) Please do not
-discuss the bug on any public mailing list.
-
-For a general overview of ISC security policies, read the Knowledgebase
-article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
+For information about ISC's Security Vulnerability Disclosure Policy and
+information about reporting potential security issues, please see
+`SECURITY.md`.
 
 Professional support and training for BIND are available from
 ISC. Contact us at [https://www.isc.org/contact](https://www.isc.org/contact)
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,35 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+# Security Policy
+
+ISC's Security Vulnerability Disclosure Policy is documented in the
+relevant [ISC Knowledgebase article][1].
+
+## Reporting possible security issues
+
+If you think you may be seeing a potential security vulnerability in
+BIND (for example, a crash with a REQUIRE, INSIST, or ASSERT failure),
+please report it immediately by [opening a confidential GitLab issue][2]
+(preferred) or emailing bind-security@isc.org.
+
+Please do not discuss undisclosed security vulnerabilities on any public
+mailing list. ISC has a long history of handling reported
+vulnerabilities promptly and effectively and we respect and acknowledge
+responsible reporters.
+
+If you have a crash, you may want to consult the Knowledgebase article
+entitled ["What to do if your BIND or DHCP server has crashed"][3].
+
+[1]: https://kb.isc.org/docs/aa-00861
+[2]: https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true&issuable_template=Bug
+[3]: https://kb.isc.org/docs/aa-00340
