Merge branch 'michal/reorganize-vulnerability-docs-9.18' into 'bind-9.18'

[9.18] Move security-related information to SECURITY.md

See merge request isc-projects/bind9!8266

CONTRIBUTING.md

@@ -102,22 +102,7 @@ Twitter, or Facebook.
 
 ### Reporting possible security issues
 
-If you think you may be seeing a potential security vulnerability in BIND
-(for example, a crash with REQUIRE, INSIST, or ASSERT failure), please
-report it immediately by emailing to security-officer@isc.org. Plain-text
-e-mail is not a secure choice for communications concerning undisclosed
-security issues so please encrypt your communications to us if possible,
-using the [ISC Security Officer public key](https://www.isc.org/pgpkey/).
-
-Do not discuss undisclosed security vulnerabilities on any public mailing list.
-ISC has a long history of handling reported vulnerabilities promptly and
-effectively and we respect and acknowledge responsible reporters.
-
-ISC's Security Vulnerability Disclosure Policy is documented at
-[https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
-
-If you have a crash, you may want to consult
-["What to do if your BIND or DHCP server has crashed."](https://kb.isc.org/docs/aa-00340)
+See `SECURITY.md`.
 
 ### <a name="contrib"></a>Contributing code
 

README.md

@@ -74,17 +74,9 @@ contents of your configuration file in a non-confidential issue, it is
 advisable to obscure key secrets; this can be done automatically by
 using `named-checkconf -px`.
 
-If you are reporting a bug that is a potential security issue, such as an
-assertion failure or other crash in `named`, please do *NOT* use GitLab to
-report it. Instead, send mail to
-[security-officer@isc.org](mailto:security-officer@isc.org) using our
-OpenPGP key to secure your message. (Information about OpenPGP and links
-to our key can be found at
-[https://www.isc.org/pgpkey](https://www.isc.org/pgpkey).) Please do not
-discuss the bug on any public mailing list.
-
-For a general overview of ISC security policies, read the Knowledgebase
-article at [https://kb.isc.org/docs/aa-00861](https://kb.isc.org/docs/aa-00861).
+For information about ISC's Security Vulnerability Disclosure Policy and
+information about reporting potential security issues, please see
+`SECURITY.md`.
 
 Professional support and training for BIND are available from
 ISC. Contact us at [https://www.isc.org/contact](https://www.isc.org/contact)

SECURITY.md

@@ -0,0 +1,35 @@
+<!--
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0.  If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+-->
+# Security Policy
+
+ISC's Security Vulnerability Disclosure Policy is documented in the
+relevant [ISC Knowledgebase article][1].
+
+## Reporting possible security issues
+
+If you think you may be seeing a potential security vulnerability in
+BIND (for example, a crash with a REQUIRE, INSIST, or ASSERT failure),
+please report it immediately by [opening a confidential GitLab issue][2]
+(preferred) or emailing bind-security@isc.org.
+
+Please do not discuss undisclosed security vulnerabilities on any public
+mailing list. ISC has a long history of handling reported
+vulnerabilities promptly and effectively and we respect and acknowledge
+responsible reporters.
+
+If you have a crash, you may want to consult the Knowledgebase article
+entitled ["What to do if your BIND or DHCP server has crashed"][3].
+
+[1]: https://kb.isc.org/docs/aa-00861
+[2]: https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true&issuable_template=Bug
+[3]: https://kb.isc.org/docs/aa-00340