The majority of providers of open-source DNS server software are OARC Members. OARC encourages responsible disclosure of software vulnerabilities, and to facilitate this, we operate a private mailing list which goes directly to the relevant security contacts at these vendors. This list exists to allow researchers, CERTs, users and other interested parties to submit such security vulnerabilities in DNS software and protocols to these software development teams, as part of a responsible disclosure process.
Subscription to this list is open to vendors and developers of open-source DNS server software implementations who are OARC Members or Supporters; and by invitation to nonprofit developers of such software, provided they are sponsored by at least one OARC Member, and no objections are raised by existing list members. All submissions to this list are strongly recommended to have a TLP designation on how it may be distributed, and marked with any disclosure embargo dates, which must be respected by all list members. Postings to this list will be treated as "Confidential Information" under clause 5.2(b) of the OARC Participation Agreement. Any submissions without a TLP designation will be treated as TLP:Green. Failure to respect distribution embargoes or restrictions may result in removal from this list.
Vulnerability reports may be submitted to: <firstname.lastname@example.org> and will be distributed to all subscribing providers. All submissions to this list will be moderated by DNS-OARC.
Requests to join this list can be submitted to: https://lists.dns-oarc.net/mailman/listinfo/oss-dns-vulns.
Use of this list is intended to supplement, not replace existing vulnerability responsible disclosure channels. This list is focused specifically on vulnerabilities which impact open-source server implementations of the DNS protocol. Parties submitting to this list should carefully research and additionally use other channels that may be appropriate for reporting any vulnerabilities.