The Internet Corporation for Assigned Names and Numbers (ICANN) has released a new set of guidelines for security researchers to follow when disclosing any bugs that are disrupting domain name systems (DNS).
Currently, there is no guidance on offer for security researchers who come across a weakness in DNS. Upon finding any issues there is no official contact for them to get in touch with, which could leave the issue unrectified.
ICANN is responsible for responding to DNS issues, however if the issues do not get flagged then the response time can be too slow and potentially dangerous information could leak out into the public arena.
The new set of guidelines – named the Coordinated Vulnerability Disclosure Reporting at ICANN – will help to solve this problem by giving security researchers direction when they are looking to report DNS vulnerabilities.
Researchers are not recommended to publicly disclose anything unless vendors have been informed and they have acknowledged and rectified the problem. Should the vendor be unresponsive then the guidelines can come into effect and the issue will then be turned over to a coordinator, which could either be ICANN itself or a national computer emergency response team.
To ensure researchers do not disclose data, ICANN has said it will respond to notifications by email in one business day and will give an initial assessment as well as an estimate for when the problem will be rectified in two weeks. The person who reports the issue will be kept informed throughout the process.
Depending on the severity of an issue, ICANN will wait up to ten days for a response to its notification. Should it receive no response, it will then take the issue to a coordinator to determine how the issue should be disclosed.
ICANN wrote on its blog: “These guidelines affirm ICANN’s commitment to facilitating the security, stability and resiliency of the internet’s unique identifiers through coordination and collaboration, and to operating and maintaining ICANN systems and networks responsibly.”