Commit | Line | Data |
---|---|---|
cff6de5f N |
1 | # Security Policy |
2 | ||
b135fd4a JL |
3 | Perl's vulnerability handling policies are described fully in |
4 | [perlsecpolicy] | |
5 | ||
cff6de5f N |
6 | ## Reporting a Vulnerability |
7 | ||
b135fd4a JL |
8 | If you believe you have found a security vulnerability in the Perl |
9 | interpreter or modules maintained in the core Perl codebase, email | |
10 | the details to perl-security@perl.org. This address is a closed | |
11 | membership mailing list monitored by the Perl security team. | |
12 | ||
13 | You should receive an initial response to your report within 72 hours. | |
14 | If you do not receive a response in that time, please contact | |
15 | the security team lead [John Lightsey](mailto:john@04755.net) and | |
16 | the Perl pumpking [SawyerX](mailto:xsawyerx@cpan.org). | |
17 | ||
18 | When members of the security team reply to your messages, they will | |
19 | generally include the perl-security@perl.org address in the "To" or "CC" | |
20 | fields of the response. This allows all of the security team to follow | |
21 | the discussion and chime in as needed. Use the "Reply-all" functionality | |
22 | of your email client when you send subsequent responses so that the | |
23 | entire security team receives the message. | |
cff6de5f | 24 | |
b135fd4a JL |
25 | The security team will evaluate your report and make an initial |
26 | determination of whether it is likely to fit the scope of issues the | |
27 | team handles. General guidelines about how this is determined are | |
28 | detailed in the ["WHAT ARE SECURITY ISSUES"] section of [perlsecpolicy]. | |
cff6de5f | 29 | |
b135fd4a JL |
30 | If your report meets the team's criteria, an issue will be opened in the |
31 | team's private issue tracker and you will be provided the issue's ID number. | |
32 | Issue identifiers have the form perl-security#NNN. Include this identifier | |
33 | with any subsequent messages you send. | |
cff6de5f | 34 | |
b135fd4a JL |
35 | The security team will send periodic updates about the status of your |
36 | issue and guide you through any further action that is required to complete | |
37 | the vulnerability remediation process. The stages vulnerabilities typically | |
38 | go through are explained in the ["HOW WE DEAL WITH SECURITY ISSUES"] | |
39 | section of [perlsecpolicy]. | |
cff6de5f | 40 | |
b135fd4a JL |
41 | [perlsecpolicy]: pod/perlsecpolicy.pod |
42 | ["WHAT ARE SECURITY ISSUES"]: pod/perlsecpolicy.pod#what-are-security-issues | |
43 | ["HOW WE DEAL WITH SECURITY ISSUES"]: pod/perlsecpolicy.pod#how-we-deal-with-security-issues |