Skip to main content

Next Steps to More Secure Systems

As you know, the ICANN org provides systems and platforms for the ICANN stakeholder community to collaborate. The security and stability of these systems is vital. Our Engineering and Information Technology (E&IT) teams work hard to ensure that these systems are reliable, scalable, and secure for all ICANN meetings held around the world.

This is a resource-intensive endeavor, so we are exploring options to harden our systems against potential vulnerabilities more quickly. This includes exploring a "bug bounty" program to reward responsible reporters, including those in the ICANN "white hat" community. We are also considering hiring additional third-party experts to help us in these efforts.

We are going down this path for a few reasons. First, we recently concluded an annual third-party cybersecurity audit, which indicated we have not progressed at a rate that we're satisfied with.

Second, we were notified by a trusted community member of two system issues that have now been resolved. Based on our investigation, we have no indication that these issues were exploited by anyone other than the person who reported the incidents. At this time, it is our belief that neither of these vulnerabilities resulted in personal data breaches that would have triggered legal notice requirements. However, per our processes, and in the spirit of openness and transparency, we have added them to our public cybersecurity incident log.

I want to emphasize how grateful I am to the community member for reporting these issues. A letter acknowledging his efforts will be posted soon on our correspondence page. I encourage you to follow his lead and report any issues you are aware of by emailing vulnerability@icann.org.

I will continue to update you on our efforts to harden our systems as we move forward with this process. I have enjoyed seeing and talking with the many community members that have joined us in Barcelona, Spain, and I want to remind you that remote participation is available for ICANN63.

Comments

    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."