bind-bug-bounty-program
1
In Scope
8
Out of Scope
In-Scope Assets (1)
| Asset | Category | Bounty | Quick Links | |
|---|---|---|---|---|
| https://gitlab.isc.org/isc-projects/bind9 | OPEN-SOURCE | Yes | - |
Out-of-Scope Assets (8)
| Asset | Category | Bounty | |
|---|---|---|---|
| Any asset that is not explicitly included in our program's scope | OTHER | Yes | |
| Any depreciated versions and other versions than the current stable/official version are considered out of scope. | OTHER | Yes | |
| Any local implementation of the project/implementation belonging to third parties | OTHER | Yes | |
| Any third parties’ or Community’s assets (e.g. packages or versions not created and published by ISC). | OTHER | Yes | |
| Any vulnerability that requires admin or admin-like access (see below for more details) - this includes access to files on drive, administrative interfaces (rndc, statistics channel), access to any shared key, privileges to write files on disk and authenticated access to change the zone file contents (zone transfers, DNS update).. | OTHER | Yes | |
| Vulnerabilities in the DNS protocol that are not specific to the BIND 9 implementation (while we are interested in these, they are out of scope of this Bug Bounty program). | OTHER | Yes | |
| gitlab.isc.org | OTHER | Yes | |
| lists.isc.org | OTHER | Yes |
Scope Changes (43)
Apr 7, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | any vulnerability that requires admin or admin-like access (see below for more details) - this includes access to files on drive, administrative interfaces (rndc, statistics channel), access to any shared key, privileges to write files on disk and authenticated access to change the zone file contents (zone transfers, dns update). | OTHER | Out of Scope | 08:21 |
| Removed | any vulnerability that requires admin or admin-like access (see below for more details) - this includes access to files on drive, administrative interfaces (rndc, statistics channel), access to any shared key, privileges to write files on disk and authenticated access to change the zone file contents (zone transfers, dns update). | OTHER | Out of Scope | 08:21 |
| Added | any vulnerability that requires admin or admin-like access (see below for more details) - this includes access to files on drive, administrative interfaces (rndc, statistics channel), access to any shared key, privileges to write files on disk and authenticated access to change the zone file contents (zone transfers, dns update). | OTHER | Out of Scope | 07:21 |
| Added | any vulnerability that requires admin or admin-like access (see below for more details) - this includes access to files on drive, administrative interfaces (rndc, statistics channel), access to any shared key, privileges to write files on disk and authenticated access to change the zone file contents (zone transfers, dns update). | OTHER | Out of Scope | 07:21 |
Mar 26, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Removed | any third parties’ or community’s assets (e.g. packages or versions not created and published by isc) | OTHER | Out of Scope | 16:06 |
| Removed | any depreciated versions and other versions than the current stable/official version are considered out of scope | OTHER | Out of Scope | 16:06 |
| Removed | any local implementation of the project/implementation belonging to third parties | OTHER | Out of Scope | 16:06 |
| Removed | vulnerabilities in the dns protocol that are not specific to the bind 9 implementation (while we are interested in these, they are out of scope of this bug bounty program) | OTHER | Out of Scope | 16:06 |
| Removed | https://gitlab.isc.org/isc-projects/bind9 | URL | In Scope | 16:06 |
| Removed | gitlab.isc.org | URL | Out of Scope | 16:06 |
| Removed | lists.isc.org | URL | Out of Scope | 16:06 |
| Removed | any asset that is not explicitly included in our program's scope | OTHER | Out of Scope | 16:06 |
Feb 25, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | https://gitlab.isc.org/isc-projects/bind9 | URL | In Scope | 19:08 |
| Added | gitlab.isc.org | URL | Out of Scope | 19:08 |
| Added | lists.isc.org | URL | Out of Scope | 19:08 |
| Added | any asset that is not explicitly included in our program's scope | OTHER | Out of Scope | 19:08 |
| Added | any third parties’ or community’s assets (e.g. packages or versions not created and published by isc) | OTHER | Out of Scope | 19:08 |
| Added | any depreciated versions and other versions than the current stable/official version are considered out of scope | OTHER | Out of Scope | 19:08 |
| Added | any local implementation of the project/implementation belonging to third parties | OTHER | Out of Scope | 19:08 |
| Added | vulnerabilities in the dns protocol that are not specific to the bind 9 implementation (while we are interested in these, they are out of scope of this bug bounty program) | OTHER | Out of Scope | 19:08 |
Feb 22, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Added | vulnerabilities in the dns protocol that are not specific to the bind 9 implementation (while we are interested in these, they are out of scope of this bug bounty program) | OTHER | Out of Scope | 00:51 |
| Added | https://gitlab.isc.org/isc-projects/bind9 | CODE | In Scope | 00:51 |
| Added | any asset that is not explicitly included in our program's scope | OTHER | Out of Scope | 00:51 |
| Added | lists.isc.org | URL | Out of Scope | 00:51 |
| Added | gitlab.isc.org | URL | Out of Scope | 00:51 |
| Added | any third parties’ or community’s assets (e.g. packages or versions not created and published by isc) | OTHER | Out of Scope | 00:51 |
| Added | any depreciated versions and other versions than the current stable/official version are considered out of scope | OTHER | Out of Scope | 00:51 |
| Added | any local implementation of the project/implementation belonging to third parties | OTHER | Out of Scope | 00:51 |
Feb 21, 2026
| Change | Asset | Category | Scope | Time |
|---|---|---|---|---|
| Removed | vulnerabilities in the dns protocol that are not specific to the bind 9 implementation (while we are interested in these, they are out of scope of this bug bounty program) | OTHER | Out of Scope | 21:40 |
| Removed | https://gitlab.isc.org/isc-projects/bind9 | OPEN-SOURCE | In Scope | 21:40 |
| Removed | gitlab.isc.org | OTHER | Out of Scope | 21:40 |
| Removed | lists.isc.org | OTHER | Out of Scope | 21:40 |
| Removed | any asset that is not explicitly included in our program's scope | OTHER | Out of Scope | 21:40 |
| Removed | any third parties’ or community’s assets (e.g. packages or versions not created and published by isc) | OTHER | Out of Scope | 21:40 |
| Removed | any depreciated versions and other versions than the current stable/official version are considered out of scope | OTHER | Out of Scope | 21:40 |
| Removed | any local implementation of the project/implementation belonging to third parties | OTHER | Out of Scope | 21:40 |
| Added | lists.isc.org | OTHER | Out of Scope | 00:33 |
| Added | any asset that is not explicitly included in our program's scope | OTHER | Out of Scope | 00:33 |
| Added | any third parties’ or community’s assets (e.g. packages or versions not created and published by isc) | OTHER | Out of Scope | 00:33 |
| Added | any depreciated versions and other versions than the current stable/official version are considered out of scope | OTHER | Out of Scope | 00:33 |
| Added | any local implementation of the project/implementation belonging to third parties | OTHER | Out of Scope | 00:33 |
| Added | vulnerabilities in the dns protocol that are not specific to the bind 9 implementation (while we are interested in these, they are out of scope of this bug bounty program) | OTHER | Out of Scope | 00:33 |
| Added | gitlab.isc.org | OTHER | Out of Scope | 00:33 |