| | 1 | # Security Policy |
| | 2 | |
| | 3 | Perl's vulnerability handling policies are described fully in |
| | 4 | [perlsecpolicy] |
| | 5 | |
| | 6 | ## Reporting a Vulnerability |
| | 7 | |
| | 8 | If you believe you have found a security vulnerability in the Perl |
| | 9 | interpreter or modules maintained in the core Perl codebase, email |
| | 10 | the details to perl-security@perl.org. This address is a closed |
| | 11 | membership mailing list monitored by the Perl security team. |
| | 12 | |
| | 13 | You should receive an initial response to your report within 72 hours. |
| | 14 | If you do not receive a response in that time, please contact |
| | 15 | the [Perl Steering Council](mailto:steering-council@perl.org). |
| | 16 | |
| | 17 | When members of the security team reply to your messages, they will |
| | 18 | generally include the perl-security@perl.org address in the "To" or "CC" |
| | 19 | fields of the response. This allows all of the security team to follow |
| | 20 | the discussion and chime in as needed. Use the "Reply-all" functionality |
| | 21 | of your email client when you send subsequent responses so that the |
| | 22 | entire security team receives the message. |
| | 23 | |
| | 24 | The security team will evaluate your report and make an initial |
| | 25 | determination of whether it is likely to fit the scope of issues the |
| | 26 | team handles. General guidelines about how this is determined are |
| | 27 | detailed in the ["WHAT ARE SECURITY ISSUES"] section of [perlsecpolicy]. |
| | 28 | |
| | 29 | If your report meets the team's criteria, an issue will be opened in the |
| | 30 | team's private issue tracker and you will be provided the issue's ID number. |
| | 31 | Issue identifiers have the form perl-security#NNN. Include this identifier |
| | 32 | with any subsequent messages you send. |
| | 33 | |
| | 34 | The security team will send periodic updates about the status of your |
| | 35 | issue and guide you through any further action that is required to complete |
| | 36 | the vulnerability remediation process. The stages vulnerabilities typically |
| | 37 | go through are explained in the ["HOW WE DEAL WITH SECURITY ISSUES"] |
| | 38 | section of [perlsecpolicy]. |
| | 39 | |
| | 40 | [perlsecpolicy]: pod/perlsecpolicy.pod |
| | 41 | ["WHAT ARE SECURITY ISSUES"]: pod/perlsecpolicy.pod#what-are-security-issues |
| | 42 | ["HOW WE DEAL WITH SECURITY ISSUES"]: pod/perlsecpolicy.pod#how-we-deal-with-security-issues |
https://perl5.git.perl.org / perl5.git / blame_incremental