ISC's Security Vulnerability Disclosure Policy is documented in the relevant ISC Knowledgebase article.

If you think you may be seeing a potential security vulnerability in BIND (for example, a crash with a REQUIRE, INSIST, or ASSERT failure), please report it immediately by opening a confidential GitLab issue (preferred) or emailing bind-security@isc.org.

Please do not discuss undisclosed security vulnerabilities on any public mailing list. ISC has a long history of handling reported vulnerabilities promptly and effectively and we respect and acknowledge responsible reporters.

If you have a crash, you may want to consult the Knowledgebase article entitled "What to do if your BIND or DHCP server has crashed".