Recently on a posting forwarded to bugtraq by Theo de Raadt, Paul Vixie, Chairman of the ISC, describes the need for a fee-based program to notify BIND vendor's, TLD operators, and others under a non-disclosure plan to publish security and bug information to priority members. Theo thinks this is detrimental to the development of BIND. . .
Recently on a posting forwarded to bugtraq by Theo de Raadt, Paul Vixie, Chairman of the ISC, describes the need for a fee-based program to notify BIND vendor's, TLD operators, and others under a non-disclosure plan to publish security and bug information to priority members. Theo thinks this is detrimental to the development of BIND.

"ISC has historically depended upon the "bind-workers" mailing list, and CERT advisories, to notify vendors of potential or actual security flaws in its BIND package. Recent events have very clearly shown that there is a need for a fee-based membership forum consisting only of:

  1. ISC itself
  2. Vendors who include BIND in their products
  3. Root and TLD name server operators
  4. Other qualified parties (at ISC's discretion)
Requirements of bind-members will be:
  1. Not-for-profit members can have their fees waived
  2. Use of PGP (or possibly S/MIME) will be mandatory
  3. Members will receive information security training
  4. Members will sign strong nondisclosure agreements
Features and benefits of "bind-members" status will include:
  1. Private access to the CVS pool where bind4, bind8 and bind9 live
  2. Reception of early warnings of security or other important flaws
  3. Periodic in-person meetings, probably at IETF's conference sites
  4. Participation on the bind-members mailing list
If you are a BIND vendor, root or TLD server operator, or other interested party, I urge you to seek management approval for entry into this forum, and then either contact, or have a responsible party contact, isc-info@isc.org.

Paul Vixie
Chairman
ISC"