[perl5.git] / SECURITY.md

# Security Policy

Perl's vulnerability handling policies are described fully in
[perlsecpolicy]

## Reporting a Vulnerability

If you believe you have found a security vulnerability in the Perl
interpreter or modules maintained in the core Perl codebase, email
the details to perl-security@perl.org. This address is a closed
membership mailing list monitored by the Perl security team.

You should receive an initial response to your report within 72 hours.
If you do not receive a response in that time, please contact
the security team lead [John Lightsey](mailto:john@04755.net) and
the Perl pumpking [SawyerX](mailto:xsawyerx@cpan.org).

When members of the security team reply to your messages, they will
generally include the perl-security@perl.org address in the "To" or "CC"
fields of the response. This allows all of the security team to follow
the discussion and chime in as needed. Use the "Reply-all" functionality
of your email client when you send subsequent responses so that the
entire security team receives the message.

The security team will evaluate your report and make an initial
determination of whether it is likely to fit the scope of issues the
team handles. General guidelines about how this is determined are
detailed in the ["WHAT ARE SECURITY ISSUES"] section of [perlsecpolicy].

If your report meets the team's criteria, an issue will be opened in the
team's private issue tracker and you will be provided the issue's ID number.
Issue identifiers have the form perl-security#NNN. Include this identifier
with any subsequent messages you send.

The security team will send periodic updates about the status of your
issue and guide you through any further action that is required to complete
the vulnerability remediation process. The stages vulnerabilities typically
go through are explained in the ["HOW WE DEAL WITH SECURITY ISSUES"]
section of [perlsecpolicy].

[perlsecpolicy]: pod/perlsecpolicy.pod
["WHAT ARE SECURITY ISSUES"]: pod/perlsecpolicy.pod#what-are-security-issues
["HOW WE DEAL WITH SECURITY ISSUES"]: pod/perlsecpolicy.pod#how-we-deal-with-security-issues
Commit	Line	Data
cff6de5f N	1	# Security Policy
cff6de5f N	2
b135fd4a JL	3	Perl's vulnerability handling policies are described fully in
	4	[perlsecpolicy]
	5
cff6de5f N	6	## Reporting a Vulnerability
cff6de5f N	7
b135fd4a JL	8	If you believe you have found a security vulnerability in the Perl
	9	interpreter or modules maintained in the core Perl codebase, email
	10	the details to perl-security@perl.org. This address is a closed
	11	membership mailing list monitored by the Perl security team.
	12
	13	You should receive an initial response to your report within 72 hours.
	14	If you do not receive a response in that time, please contact
	15	the security team lead [John Lightsey](mailto:john@04755.net) and
	16	the Perl pumpking [SawyerX](mailto:xsawyerx@cpan.org).
	17
	18	When members of the security team reply to your messages, they will
	19	generally include the perl-security@perl.org address in the "To" or "CC"
	20	fields of the response. This allows all of the security team to follow
	21	the discussion and chime in as needed. Use the "Reply-all" functionality
	22	of your email client when you send subsequent responses so that the
	23	entire security team receives the message.
cff6de5f	24
b135fd4a JL	25	The security team will evaluate your report and make an initial
	26	determination of whether it is likely to fit the scope of issues the
	27	team handles. General guidelines about how this is determined are
	28	detailed in the ["WHAT ARE SECURITY ISSUES"] section of [perlsecpolicy].
cff6de5f	29
b135fd4a JL	30	If your report meets the team's criteria, an issue will be opened in the
	31	team's private issue tracker and you will be provided the issue's ID number.
	32	Issue identifiers have the form perl-security#NNN. Include this identifier
	33	with any subsequent messages you send.
cff6de5f	34
b135fd4a JL	35	The security team will send periodic updates about the status of your
	36	issue and guide you through any further action that is required to complete
	37	the vulnerability remediation process. The stages vulnerabilities typically
	38	go through are explained in the ["HOW WE DEAL WITH SECURITY ISSUES"]
	39	section of [perlsecpolicy].
cff6de5f	40
b135fd4a JL	41	[perlsecpolicy]: pod/perlsecpolicy.pod
	42	["WHAT ARE SECURITY ISSUES"]: pod/perlsecpolicy.pod#what-are-security-issues
	43	["HOW WE DEAL WITH SECURITY ISSUES"]: pod/perlsecpolicy.pod#how-we-deal-with-security-issues