Commit | Line | Data |
---|---|---|
cff6de5f N |
1 | # Security Policy |
2 | ||
b135fd4a JL |
3 | Perl's vulnerability handling policies are described fully in |
4 | [perlsecpolicy] | |
5 | ||
cff6de5f N |
6 | ## Reporting a Vulnerability |
7 | ||
b135fd4a JL |
8 | If you believe you have found a security vulnerability in the Perl |
9 | interpreter or modules maintained in the core Perl codebase, email | |
10 | the details to perl-security@perl.org. This address is a closed | |
11 | membership mailing list monitored by the Perl security team. | |
12 | ||
13 | You should receive an initial response to your report within 72 hours. | |
14 | If you do not receive a response in that time, please contact | |
dcbafa45 | 15 | the [Perl Steering Council](mailto:steering-council@perl.org). |
b135fd4a JL |
16 | |
17 | When members of the security team reply to your messages, they will | |
18 | generally include the perl-security@perl.org address in the "To" or "CC" | |
19 | fields of the response. This allows all of the security team to follow | |
20 | the discussion and chime in as needed. Use the "Reply-all" functionality | |
21 | of your email client when you send subsequent responses so that the | |
22 | entire security team receives the message. | |
cff6de5f | 23 | |
b135fd4a JL |
24 | The security team will evaluate your report and make an initial |
25 | determination of whether it is likely to fit the scope of issues the | |
26 | team handles. General guidelines about how this is determined are | |
27 | detailed in the ["WHAT ARE SECURITY ISSUES"] section of [perlsecpolicy]. | |
cff6de5f | 28 | |
b135fd4a JL |
29 | If your report meets the team's criteria, an issue will be opened in the |
30 | team's private issue tracker and you will be provided the issue's ID number. | |
31 | Issue identifiers have the form perl-security#NNN. Include this identifier | |
32 | with any subsequent messages you send. | |
cff6de5f | 33 | |
b135fd4a JL |
34 | The security team will send periodic updates about the status of your |
35 | issue and guide you through any further action that is required to complete | |
36 | the vulnerability remediation process. The stages vulnerabilities typically | |
37 | go through are explained in the ["HOW WE DEAL WITH SECURITY ISSUES"] | |
38 | section of [perlsecpolicy]. | |
cff6de5f | 39 | |
b135fd4a JL |
40 | [perlsecpolicy]: pod/perlsecpolicy.pod |
41 | ["WHAT ARE SECURITY ISSUES"]: pod/perlsecpolicy.pod#what-are-security-issues | |
42 | ["HOW WE DEAL WITH SECURITY ISSUES"]: pod/perlsecpolicy.pod#how-we-deal-with-security-issues |