https://perl5.git.perl.org / perl5.git / blame
| Commit | Line | Data |
|---|---|---|
| cff6de5f N |
1 | # Security Policy |
| 2 | ||
| b135fd4a JL |
3 | Perl's vulnerability handling policies are described fully in |
| 4 | [perlsecpolicy] | |
| 5 | ||
| cff6de5f N |
6 | ## Reporting a Vulnerability |
| 7 | ||
| b135fd4a JL |
8 | If you believe you have found a security vulnerability in the Perl |
| 9 | interpreter or modules maintained in the core Perl codebase, email | |
| 10 | the details to perl-security@perl.org. This address is a closed | |
| 11 | membership mailing list monitored by the Perl security team. | |
| 12 | ||
| 13 | You should receive an initial response to your report within 72 hours. | |
| 14 | If you do not receive a response in that time, please contact | |
| dcbafa45 | 15 | the [Perl Steering Council](mailto:steering-council@perl.org). |
| b135fd4a JL |
16 | |
| 17 | When members of the security team reply to your messages, they will | |
| 18 | generally include the perl-security@perl.org address in the "To" or "CC" | |
| 19 | fields of the response. This allows all of the security team to follow | |
| 20 | the discussion and chime in as needed. Use the "Reply-all" functionality | |
| 21 | of your email client when you send subsequent responses so that the | |
| 22 | entire security team receives the message. | |
| cff6de5f | 23 | |
| b135fd4a JL |
24 | The security team will evaluate your report and make an initial |
| 25 | determination of whether it is likely to fit the scope of issues the | |
| 26 | team handles. General guidelines about how this is determined are | |
| 27 | detailed in the ["WHAT ARE SECURITY ISSUES"] section of [perlsecpolicy]. | |
| cff6de5f | 28 | |
| b135fd4a JL |
29 | If your report meets the team's criteria, an issue will be opened in the |
| 30 | team's private issue tracker and you will be provided the issue's ID number. | |
| 31 | Issue identifiers have the form perl-security#NNN. Include this identifier | |
| 32 | with any subsequent messages you send. | |
| cff6de5f | 33 | |
| b135fd4a JL |
34 | The security team will send periodic updates about the status of your |
| 35 | issue and guide you through any further action that is required to complete | |
| 36 | the vulnerability remediation process. The stages vulnerabilities typically | |
| 37 | go through are explained in the ["HOW WE DEAL WITH SECURITY ISSUES"] | |
| 38 | section of [perlsecpolicy]. | |
| cff6de5f | 39 | |
| b135fd4a JL |
40 | [perlsecpolicy]: pod/perlsecpolicy.pod |
| 41 | ["WHAT ARE SECURITY ISSUES"]: pod/perlsecpolicy.pod#what-are-security-issues | |
| 42 | ["HOW WE DEAL WITH SECURITY ISSUES"]: pod/perlsecpolicy.pod#how-we-deal-with-security-issues |