| 1 | # Security Policy |
| 2 | |
| 3 | Perl's vulnerability handling policies are described fully in |
| 4 | [perlsecpolicy] |
| 5 | |
| 6 | ## Reporting a Vulnerability |
| 7 | |
| 8 | If you believe you have found a security vulnerability in the Perl |
| 9 | interpreter or modules maintained in the core Perl codebase, email |
| 10 | the details to perl-security@perl.org. This address is a closed |
| 11 | membership mailing list monitored by the Perl security team. |
| 12 | |
| 13 | You should receive an initial response to your report within 72 hours. |
| 14 | If you do not receive a response in that time, please contact |
| 15 | the [Perl Steering Council](mailto:steering-council@perl.org). |
| 16 | |
| 17 | When members of the security team reply to your messages, they will |
| 18 | generally include the perl-security@perl.org address in the "To" or "CC" |
| 19 | fields of the response. This allows all of the security team to follow |
| 20 | the discussion and chime in as needed. Use the "Reply-all" functionality |
| 21 | of your email client when you send subsequent responses so that the |
| 22 | entire security team receives the message. |
| 23 | |
| 24 | The security team will evaluate your report and make an initial |
| 25 | determination of whether it is likely to fit the scope of issues the |
| 26 | team handles. General guidelines about how this is determined are |
| 27 | detailed in the ["WHAT ARE SECURITY ISSUES"] section of [perlsecpolicy]. |
| 28 | |
| 29 | If your report meets the team's criteria, an issue will be opened in the |
| 30 | team's private issue tracker and you will be provided the issue's ID number. |
| 31 | Issue identifiers have the form perl-security#NNN. Include this identifier |
| 32 | with any subsequent messages you send. |
| 33 | |
| 34 | The security team will send periodic updates about the status of your |
| 35 | issue and guide you through any further action that is required to complete |
| 36 | the vulnerability remediation process. The stages vulnerabilities typically |
| 37 | go through are explained in the ["HOW WE DEAL WITH SECURITY ISSUES"] |
| 38 | section of [perlsecpolicy]. |
| 39 | |
| 40 | [perlsecpolicy]: pod/perlsecpolicy.pod |
| 41 | ["WHAT ARE SECURITY ISSUES"]: pod/perlsecpolicy.pod#what-are-security-issues |
| 42 | ["HOW WE DEAL WITH SECURITY ISSUES"]: pod/perlsecpolicy.pod#how-we-deal-with-security-issues |