Security Response Waiver Requests for Registrars
The Security Response Waiver (SRW) was developed to provide a process for ICANN- accredited registrars to inform ICANN organization of a present or imminent security incident (hereinafter referred to as "incident") to their registrar and/or the Domain Name System (DNS). Using the SRW registrars can request a contractual waiver for actions it might take, or has taken, to mitigate or eliminate an incident. A contractual waiver is an exemption from compliance with a specific provision of the Registrar Accreditation Agreement (RAA) for the time period necessary to respond to the incident. The SRW has been designed to allow operational security to be maintained around an incident while keeping relevant parties (e.g., ICANN org, other affected providers, etc.) informed as appropriate.
In August 2021, ICANN org expanded the Expedited Registry Security Response (ERSR) process to enable registrars to submit waiver requests. As a result, the ERSR was renamed the "Security Response Waiver (SRW)".
A registrar may request this service when one or more of the following incidents occur:
- A malicious activity involving the DNS of such scale and severity that it threatens systematic security, stability, and resiliency of a gTLD or the DNS;
- An occurrence with the potential to cause a temporary or long-term threat impacting the registration of domain names at an ICANN-accredited registrar;
- A court order from a law enforcement agency with jurisdiction over the registrar which requires the registrar to take action due to a specific security threat.
ICANN org recognizes registrars may be required to take immediate action to prevent or address an incident in some instances due to extraordinary circumstances. In such cases, registrars should submit an SRW request as soon as possible so that ICANN org may respond with a retroactive waiver if appropriate.
Registrar SRW Process
There are three phases in this process.
- Submit SRW Request - Registrars may submit a SRW request by emailing a completed Registrar SRW request form [PDF, 242 KB] to firstname.lastname@example.org. In the submission, the registrar must indicate whether action has already been taken or action is urgent and the waiver is required prior to taking action. Additionally, within the submission, the registrar will need to provide a description of the incident and details on how the registrar plans to respond, or has responded to, the incident. The submission must also include the provisions the registrar is requesting to waive. This may include, but is not limited to, a temporary waiver for Section 3.9.2 of the RAA, Accreditation Fees, specifically the transaction-based fee of USD 0.18 per transaction/year.
- Review of SRW Request - ICANN org will review the SRW request and provide a response. ICANN org may request additional information, if necessary, to ensure a comprehensive review and consideration of the SRW request. The requestor will be asked to provide such information expeditiously. On a case-by-case basis, ICANN org may contact the registrar and/or an external authority (e.g., law enforcement agency, security researcher, etc.) to confirm the incident.
- Determination and Response - ICANN org will respond in writing within 15 calendar days of receipt of all required information with either (i) a waiver or retroactive waiver, if appropriate, (ii) an update to an existing waiver, (iii) a determination that the request is in scope of an existing waiver, or (iv) a determination that a waiver will not be granted, including rationale.
Following a response to an SRW, ICANN org, in collaboration with the affected registrar, may develop an After Action Report (AAR) that may be made available to the community. If an AAR is to be published, ICANN org and the affected registrar will jointly review which sections of the SRW request and AAR should be redacted to ensure confidential and proprietary information is protected.