read your message. Your message will get relayed to over 400
subscribers around the world so please try to keep it brief but clear.
-If the bug you are reporting has security implications, which make it
-inappropriate to send to a publicly archived mailing list, then please
-send it to perl5-security-report@perl.org. This points to a closed
-subscription unarchived mailing list, which includes all the core
-committers, who be able to help assess the impact of issues, figure out
-a resolution, and help co-ordinate the release of patches to mitigate or
-fix the problem across all platforms on which Perl is supported. Please
-only use this address for security issues in the Perl core, not for
-modules independently distributed on CPAN.
+If the bug you are reporting has security implications which make it
+inappropriate to send to a publicly archived mailing list, then see
+L<perlsec/SECURITY VULNERABILITY CONTACT INFORMATION>
+for details of how to report the issue.
If you are unsure what makes a good bug report please read "How to
report Bugs Effectively" by Simon Tatham:
sufficient test case. Your bug report, along with the output of C<perl -V>,
will be sent off to perlbug@perl.org to be analysed by the Perl porting team.
-If the bug you are reporting has security implications, which make it
-inappropriate to send to a publicly archived mailing list, then please send it
-to perl5-security-report@perl.org. This points to a closed subscription
-unarchived mailing list, which includes all the core committers, who will be
-able to help assess the impact of issues, figure out a resolution, and help
-co-ordinate the release of patches to mitigate or fix the problem across all
-platforms on which Perl is supported. Please only use this address for
-security issues in the Perl core, not for modules independently distributed on
-CPAN.
+If the bug you are reporting has security implications which make it
+inappropriate to send to a publicly archived mailing list, then see
+L<perlsec/SECURITY VULNERABILITY CONTACT INFORMATION>
+for details of how to report the issue.
=head1 SEE ALSO
sufficient test case. Your bug report, along with the output of C<perl -V>,
will be sent off to perlbug@perl.org to be analysed by the Perl porting team.
-If the bug you are reporting has security implications, which make it
-inappropriate to send to a publicly archived mailing list, then please send it
-to perl5-security-report@perl.org. This points to a closed subscription
-unarchived mailing list, which includes all the core committers, who will be
-able to help assess the impact of issues, figure out a resolution, and help
-co-ordinate the release of patches to mitigate or fix the problem across all
-platforms on which Perl is supported. Please only use this address for
-security issues in the Perl core, not for modules independently distributed on
-CPAN.
+If the bug you are reporting has security implications which make it
+inappropriate to send to a publicly archived mailing list, then see
+L<perlsec/SECURITY VULNERABILITY CONTACT INFORMATION>
+for details of how to report the issue.
=head1 SEE ALSO
advice to you as you do so and, where possible will try to apply
those patches to the relevant -maint branches in git, though we may or
may not choose to make numbered releases or "official" patches
-available. Contact us at E<lt>perl5-security-report@perl.orgE<gt>
-to begin that process.
+available. See L<perlsec/SECURITY VULNERABILITY CONTACT INFORMATION>
+for details on how to begin that process.
=back
=item *
Patches that fix CVEs or security issues. These changes should
-be run through the perl5-security-report@perl.org mailing list
-rather than applied directly.
+be passed using the security reporting mechanism rather than applied
+directly; see L<perlsec/SECURITY VULNERABILITY CONTACT INFORMATION>.
=item *
=head1 SECURITY VULNERABILITY CONTACT INFORMATION
-If you believe you have found a security vulnerability in Perl, please email
-perl5-security-report@perl.org with details. This points to a closed
-subscription, unarchived mailing list. Please only use this address for
-security issues in the Perl core, not for modules independently distributed on
-CPAN.
+If you believe you have found a security vulnerability in Perl, please
+email the details to perl5-security-report@perl.org. This creates a new
+Request Tracker ticket in a special queue which isn't initially publicly
+accessible. The email will also be copied to a closed subscription
+unarchived mailing list which includes all the core committers, who will
+be able to help assess the impact of issues, figure out a resolution, and
+help co-ordinate the release of patches to mitigate or fix the problem
+across all platforms on which Perl is supported. Please only use this
+address for security issues in the Perl core, not for modules
+independently distributed on CPAN.
+
+When sending an initial request to the security email address, please
+don't Cc any other parties, because if they reply to all, the reply will
+generate yet another new ticket. Once you have received an initial reply
+with a C<[perl #NNNNNN]> ticket number in the headline, it's okay to Cc
+subsequent replies to third parties: all emails to the
+perl5-security-report address with the ticket number in the subject line
+will be added to the ticket; without it, a new ticket will be created.
=head1 SECURITY MECHANISMS AND CONCERNS