1# Security Policy 2 3Perl's vulnerability handling policies are described fully in 4[perlsecpolicy] 5 6## Reporting a Vulnerability 7 8If you believe you have found a security vulnerability in the Perl 9interpreter or modules maintained in the core Perl codebase, email 10the details to perl-security@perl.org. This address is a closed 11membership mailing list monitored by the Perl security team. 12 13You should receive an initial response to your report within 72 hours. 14If you do not receive a response in that time, please contact 15the [Perl Steering Council](mailto:steering-council@perl.org). 16 17When members of the security team reply to your messages, they will 18generally include the perl-security@perl.org address in the "To" or "CC" 19fields of the response. This allows all of the security team to follow 20the discussion and chime in as needed. Use the "Reply-all" functionality 21of your email client when you send subsequent responses so that the 22entire security team receives the message. 23 24The security team will evaluate your report and make an initial 25determination of whether it is likely to fit the scope of issues the 26team handles. General guidelines about how this is determined are 27detailed in the ["WHAT ARE SECURITY ISSUES"] section of [perlsecpolicy]. 28 29If your report meets the team's criteria, an issue will be opened in the 30team's private issue tracker and you will be provided the issue's ID number. 31Issue identifiers have the form perl-security#NNN. Include this identifier 32with any subsequent messages you send. 33 34The security team will send periodic updates about the status of your 35issue and guide you through any further action that is required to complete 36the vulnerability remediation process. The stages vulnerabilities typically 37go through are explained in the ["HOW WE DEAL WITH SECURITY ISSUES"] 38section of [perlsecpolicy]. 39 40[perlsecpolicy]: pod/perlsecpolicy.pod 41["WHAT ARE SECURITY ISSUES"]: pod/perlsecpolicy.pod#what-are-security-issues 42["HOW WE DEAL WITH SECURITY ISSUES"]: pod/perlsecpolicy.pod#how-we-deal-with-security-issues 43