This is a live mirror of the Perl 5 development currently hosted at https://github.com/perl/perl5
perlapi: Remove per-thread section; move to real scns
[perl5.git] / SECURITY.md
CommitLineData
cff6de5f
N
1# Security Policy
2
b135fd4a
JL
3Perl's vulnerability handling policies are described fully in
4[perlsecpolicy]
5
cff6de5f
N
6## Reporting a Vulnerability
7
b135fd4a
JL
8If you believe you have found a security vulnerability in the Perl
9interpreter or modules maintained in the core Perl codebase, email
10the details to perl-security@perl.org. This address is a closed
11membership mailing list monitored by the Perl security team.
12
13You should receive an initial response to your report within 72 hours.
14If you do not receive a response in that time, please contact
15the security team lead [John Lightsey](mailto:john@04755.net) and
16the Perl pumpking [SawyerX](mailto:xsawyerx@cpan.org).
17
18When members of the security team reply to your messages, they will
19generally include the perl-security@perl.org address in the "To" or "CC"
20fields of the response. This allows all of the security team to follow
21the discussion and chime in as needed. Use the "Reply-all" functionality
22of your email client when you send subsequent responses so that the
23entire security team receives the message.
cff6de5f 24
b135fd4a
JL
25The security team will evaluate your report and make an initial
26determination of whether it is likely to fit the scope of issues the
27team handles. General guidelines about how this is determined are
28detailed in the ["WHAT ARE SECURITY ISSUES"] section of [perlsecpolicy].
cff6de5f 29
b135fd4a
JL
30If your report meets the team's criteria, an issue will be opened in the
31team's private issue tracker and you will be provided the issue's ID number.
32Issue identifiers have the form perl-security#NNN. Include this identifier
33with any subsequent messages you send.
cff6de5f 34
b135fd4a
JL
35The security team will send periodic updates about the status of your
36issue and guide you through any further action that is required to complete
37the vulnerability remediation process. The stages vulnerabilities typically
38go through are explained in the ["HOW WE DEAL WITH SECURITY ISSUES"]
39section of [perlsecpolicy].
cff6de5f 40
b135fd4a
JL
41[perlsecpolicy]: pod/perlsecpolicy.pod
42["WHAT ARE SECURITY ISSUES"]: pod/perlsecpolicy.pod#what-are-security-issues
43["HOW WE DEAL WITH SECURITY ISSUES"]: pod/perlsecpolicy.pod#how-we-deal-with-security-issues