perlsecpolicy.pod - OpenGrok cross reference for /openbsd-src/gnu/usr.bin/perl/pod/perlsecpolicy.pod

Lines Matching full:perl
4 CVE perlsecpolicy SV perl Perl SDBM HackerOne Mitre
8 perlsecpolicy - Perl security report handling policy
12 The Perl project takes security issues seriously.
16 of a subset of the Perl core developers.
18 This document describes how the Perl security team operates and
21 =head1 REPORTING SECURITY ISSUES IN PERL
23 If you believe you have found a security vulnerability in the Perl
24 interpreter or modules maintained in the core Perl codebase,
26 L<perl-security@perl.org|mailto:perl-security@perl.org>.
27 This address is a closed membership mailing list monitored by the Perl
32 the L<Perl Steering Council|mailto:steering-council@perl.org>.
35 generally include the perl-security@perl.org address in the "To" or "CC"
48 Issue identifiers have the form perl-security#NNN. Include this identifier
65 Software written in the Perl programming language is typically composed
71 =head2 Software covered by the Perl security team
73 The Perl security team handles security issues in:
79 The Perl interpreter
83 The Perl modules shipped with the interpreter that are developed in the core
84 Perl repository
89 core Perl repository
93 Files under the F<cpan/> directory in Perl's repository and release tarballs are
94 developed and maintained independently. The Perl security team does not
96 bundled with Perl, we will assist in forwarding the issue to the relevant
99 =head2 Bugs that may qualify as security issues in Perl
101 Perl is designed to be a fast and flexible general purpose programming
102 language. The Perl interpreter and Perl modules make writing safe and
105 As a general rule, a bug in Perl needs to meet all of the following
112 The vulnerable behavior is not mentioned in Perl's documentation
127 otherwise secure applications written in Perl.
136 =head2 Bugs that do not qualify as security issues in Perl
146 The Perl parser is not designed to evaluate untrusted code.
153 not enforce limits on inputs. The Perl interpreter assumes limits
158 Common Perl constructs such as C<pack>, the C<x> operator,
162 available memory, the Perl interpreter will not prevent it.
167 security mechanisms. The Perl parser is not designed to evaluate
181 This type of bug is a long standing issue with the Perl interpreter
184 the Perl interpreter.
203 creates SV's in this fashion is corrupting Perl's internal state.
207 The blead branch and Perl release candidates do not receive security
209 versions of Perl are handled through the normal bug reporting and
212 =head3 CPAN modules or other Perl project resources  argument
214 The Perl security team is focused on the Perl interpreter and modules
215 maintained in the core Perl codebase. The team has no special access
216 to fix CPAN modules, applications written in Perl, Perl project websites,
217 Perl mailing lists or the Perl IRC servers.
221 The Perl interpreter attempts to emulate C<fork>, C<system>, C<exec>
223 quirks that are extensively documented in Perl's public issue tracker.
229 Some bugs in the Perl interpreter occur in areas of the codebase that are
235 with several caveats. The following behaviors of Perl's regular expression
247 Regular expressions may cause excessive recursion that halts the perl
250 As a general rule, do not expect Perl's regular expression engine to
259 Perl.
261 Bugs where Perl mishandles unexpected valid return values from the underlying
262 libraries may qualify as security issues in Perl.
266 The perl interpreter is reasonably robust to algorithmic complexity
277 The Perl security team follows responsible disclosure practices. Security issues
279 inherent risks users face from vulnerabilities in Perl.
285 L<perl-security@perl.org|mailto:perl-security@perl.org> contact address, we
294 =head2 Perl's vulnerability remediation workflow
301 L<Perl Steering Council|mailto:steering-council@perl.org>.
325 identifiers have the format perl-security#NNN or Perl/perl-security#NNN.
328 represents a vulnerability in Perl. Many reports require further analysis
340 detail to produce fixes for supported versions of Perl.
356 Details like the range of vulnerable Perl versions and identities
372 announcement is sent to the major redistributors of Perl.
374 This pre-release announcement includes a list of Perl versions that
377 or backporting fixes to older versions of Perl that the security team
395 The Perl security team does not directly produce official Perl
397 in Perl's public git repository and sending announcements.
399 Many users and redistributors prefer using official Perl releases
401 team works with Perl's release managers to make this possible.
403 New official releases of Perl are generally produced and tested
409 committed to Perl's public git repository and announcements will be
410 sent to the L<perl5-porters|https://lists.perl.org/list/perl5-porters.html>
414 If official Perl releases are ready, they will be published at this time
415 and announced on the L<perl5-porters|https://lists.perl.org/list/perl5-porters.html>
420 finished. Vulnerability reporters and Perl redistributors should not publish
421 their own announcements or fixes until the Perl security team's release process
431 or decreases the risk to users of Perl. In some cases being open about
438 If an unresolved critical security issue in Perl is being actively abused to
442 Perl's public defect tracker will be used to handle the issue so that additional
453 identified and resolved in Perl's public issue tracker, the team will
458 The Perl project appreciates the effort security researchers
459 invest in making Perl safe and secure.
476 Perl's announcements are written in the English language using the 7bit
482 established or there is a disagreement between the Perl security team
486 =head3 Bounties for Perl vulnerabilities
488 The Perl project is a non-profit volunteer effort. We do not provide
489 any monetary rewards for reporting security issues in Perl.