NLnet Labs Security Patch Policy

Published 7 Aug 2013, version 1.0.2


This policy currently applies to:

  • UNBOUND
  • NSD

The security of our software is important, and NLnet Labs gives security considerations the highest importance. If a flaw is found we intend to provide security patches, for free, to the general public. Besides, we strive to be transparent about the nature, cause and impact of security flaws. Since the announcement of a security flaw may trigger the creation of exploits, we strive to balance transparency about flaws with the impact exploits might have on the Internet and its users.

We will follow the following internal guidelines. However, circumstances may force us to not apply this policy in full.

  • End of support for the software by NLnet Labs will be publicly announced two years in advance.
  • All security vulnerabilities will be identified with a dedicated CERT vulnerability tracking numbers.
  • In general the security patches are distributed according to the following priority:
    Cat. 1:
    Supported Contacts and the party that reported the vulnerability, under non-disclosure.
    Cat. 2:
    Special Interest group, under non-disclosure.
    2a.
    Well known high-level public interest entities (e.g. root-servers).
    2b.
    Known Open Source platform OS-maintainers.
    Cat 3.:
    The general public.
  • The time scale on which publish/distribute security patches differently depending on the nature of the security issue. If the issue is widely known or exploited at the moment we have developed a patch (zero day) we intend to release the patch as soon as possible to the widest audience possible, which collapses stages 1 through 3 above to the order of days.
  • If the issue is not yet public, we intend to release security patches to the general public on a short timescale, of the order of weeks.
  • If we cannot find a fix for the security vulnerability, we obviously cannot provide code, and may seek assistance. In order to prevent zero-day exploits information about (the existence of) these types of vulnerabilities may only be shared under non-disclosure with cat. 1, and if circumstances dictate with cat. 2.
  • We provide patches for the latest released software version i.e. the latest major, minor, patch level release.
  • In general we provide support for the previous major release for 1 year after its deprecation. (We therefore also provide security patches for major releases from one year past. A major release is the increment in the first version number.)

Wed Sep 25 2013

© Stichting NLnet Labs

Science Park 400, 1098 XH Amsterdam, The Netherlands

labs@nlnetlabs.nl, subsidised by NLnet and SIDN.