path: root/.gitlab/issue_templates/CVE_draft.md

---
name: CVE Communications Draft
about: Create draft emails for a security vulnerability

---

(INTERNAL) (Non-authoritative Draft only)
The version in the KB is the authoritative Advisory, this is only DRAFT text to be used for communications (emails). This is also not the CVE checklist for this issue. Once the CVE is made public, this issue should be deleted from the repo.

(INTERNAL)  DO NOT FORGET TO MAKE THIS ISSUE CONFIDENTIAL!

(INTERNAL) (Keep things text-only friendly)
All of the official communication about this vulnerability will use a text-only version of this article. This is most obvious in the way that certain links are constructed.  Most links should be constructed contrary to "web best-practice" and use the full URL as their link text. 

(INTERNAL)
| header | header |
| ------ | ------ |
| CVE # | CVE-9999-99999 |
| GL Issue |         |
| Versions affected |  |
| link to Advisory draft in KB |   |
| date for earliest |   |
| date for T-5 |   |
| public release date |   |

cut and paste below this line for the customer email

----------------------

NOTE: This Advisory is Confidential and under NDA until Public Release
(date of planned release here) unless notified by the Internet
Systems Consortium's (ISC's) Security Officer (security-officer@isc.org).
We ask that you respect our phased disclosure process (see
https://www.isc.org/security-vulnerability-disclosure-policy ).

If you know of an additional party who should be included in our phased
disclosure process please contact ISC directly and do not forward this
advisory to them.

DO NOT forward this information to anyone per your Subscription
Agreement, as it has not yet been released to the public.

If you need to ask a question about this Advance Security Bulletin,
before it is publicly released, please do so securely and do not make
any reference to the advisory or its existence via unencrypted email to
ISC or by opening a new support ticket.

We suggest using one of the secure methods below:

1. Log in to your RT queue via https to add the question to the advisory
notification ticket in your queue. ISC's support team will post a reply
and then inform you directly via email that we have responded and that
you need to check the ticket directly.

2. Email your question, encrypted to security-officer@isc.org, using our
public PGP key which can be found here:

http://www.isc.org/downloads/software-support-policy/openpgp-key/

Regards,

ISC Support

----

To Our Advance Notification Customers and Partners --

This message is being sent to you because you are on our list for Early Advance 
Notification for security issues affecting ISC DHCP.

We have learned of a security issue which can be exploited in the ISC DHCP
server (dhcpd).

The issue, which is designated CVE-xxxx-xxxxx, occurs due to xxxxxxx.

This defect applies to versions DHCP 4.1.x - 4.1.y and DHCP 4.4.x - 4.4.y.

Description:



Impact:



Workaround:



If you have questions, please use this ticket to ask them.

your name here

ISC Support Engineer

---------------
[DRAFT TEXT OF THE ADVISORY IS BELOW, NOTE THAT THIS IS ONLY A WORKING DRAFT]


CVE: CVE-9999-99999  [FILL IN]

Document version: 1.0

Posting date: [FILL IN DD MONTH YEAR]

Program impacted: DHCP

Versions affected: DHCP [FILL IN]

Severity: [FILL IN - MEDIUM, HIGH OR CRITICAL]

Exploitable: [FILL IN - REMOTELY OR LOCALLY]

Description:

[FILL IN]

Impact:

[FILL IN]

CVSS Score: [FILL IN]

CVSS Vector: CVSS v3.1 Vector: [PASTE HERE]

For more information on the Common Vulnerability Scoring System and to
obtain your specific environmental score please visit: 
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C&version=3.1.

Workarounds:

[FILL IN, OFTEN ...]
No workarounds known.

Active exploits:
[FILL IN, OFTEN ...]
We are not aware of any active exploits.

Solution:
[FILL IN, TYPICALLY SOMETHING LIKE THIS...]
Upgrade to the patched release most closely related to your current
version of DHCP:

DHCP 4.4.x (Current Stable)
DHCP 4.1.x (Old Stable)

Acknowledgments: ISC would like to thank [REPORTER] from [REPORTER ORGANIZATION] 
for for discovering and reporting this issue.

Document revision history:

1.0 Early Notification, [DAY  MONTH YEAR]

Related documents:


Do you still have questions? Questions regarding this advisory should
go to security-officer@isc.org. To report a new issue, please encrypt
your message using security-officer@isc.org's PGP key which can be
found here: https://www.isc.org/pgpkey/. If you are unable to use
encrypted email, you may also report new issues at: 
https://www.isc.org/reportbug/.

Note:

ISC patches only currently supported versions. When possible we
indicate EOL versions affected. (For current information on which
versions are actively supported, please see:
https://www.isc.org/download/ )

ISC Security Vulnerability Disclosure Policy:

Details of our current security advisory policy and practice can be
found in the ISC Software Defect and Security Vulnerability Disclosure
Policy at https://kb.isc.org/docs/aa-00861.

The Knowledgebase article [PASTE IN THE LINK HERE] is the
complete and official security advisory document.

Legal Disclaimer:

Internet Systems Consortium (ISC) is providing this notice on an "AS
IS" basis. No warranty or guarantee of any kind is expressed in this
notice and none should be implied. ISC expressly excludes and
disclaims any warranties regarding this notice or materials referred
to in this notice, including, without limitation, any implied warranty
of merchantability, fitness for a particular purpose, absence of
hidden defects, or of non-infringement. Your use or reliance on this
notice or materials referred to in this notice is at your own risk.
ISC may change this notice at any time. A stand-alone copy or
paraphrase of the text of this document that omits the document URL is
an uncontrolled copy. Uncontrolled copies may lack important
information, be out of date, or contain factual errors.