perl/pod/perlsecpolicy.pod

=encoding utf-8

=for stopwords
CVE perlsecpolicy SV perl Perl SDBM HackerOne Mitre

=head1 NAME

perlsecpolicy - Perl security report handling policy

=head1 DESCRIPTION

The Perl project takes security issues seriously.

The responsibility for handling security reports in a timely and
effective manner has been delegated to a security team composed
of a subset of the Perl core developers.

This document describes how the Perl security team operates and
how the team evaluates new security reports.

=head1 REPORTING SECURITY ISSUES IN PERL

If you believe you have found a security vulnerability in the Perl
interpreter or modules maintained in the core Perl codebase,
email the details to
L<perl-security@perl.org|mailto:perl-security@perl.org>.
This address is a closed membership mailing list monitored by the Perl
security team.

You should receive an initial response to your report within 72 hours.
If you do not receive a response in that time, please contact
the L<Perl Steering Council|mailto:steering-council@perl.org>.

When members of the security team reply to your messages, they will
generally include the perl-security@perl.org address in the "To" or "CC"
fields of the response. This allows all of the security team to follow
the discussion and chime in as needed. Use the "Reply-all" functionality
of your email client when you send subsequent responses so that the
entire security team receives the message.

The security team will evaluate your report and make an initial
determination of whether it is likely to fit the scope of issues the
team handles. General guidelines about how this is determined are
detailed in the L</WHAT ARE SECURITY ISSUES> section.

If your report meets the team's criteria, you will be provided the issue's
CVE ID(s). Issue identifiers have the form CVE-YYYY-NNNNN, where YYYY is the
year the CVE was reported, and NNNNN is a unique number. Include this identifier
with any subsequent messages you send.

The security team will send periodic updates about the status of your
issue and guide you through any further action that is required to complete
the vulnerability remediation process. The stages vulnerabilities typically
go through are explained in the L</HOW WE DEAL WITH SECURITY ISSUES>
section.

=head1 WHAT ARE SECURITY ISSUES

A vulnerability is a behavior of a software system that compromises the
system's expected confidentiality, integrity or availability protections.

A security issue is a bug in one or more specific components of a software
system that creates a vulnerability.

Software written in the Perl programming language is typically composed
of many layers of software written by many different groups. It can be
very complicated to determine which specific layer of a complex real-world
application was responsible for preventing a vulnerable behavior, but this
is an essential part of fixing the vulnerability.

=head2 Software covered by the Perl security team

The Perl security team handles security issues in:

=over

=item *

The Perl interpreter

=item *

The Perl modules shipped with the interpreter that are developed in the core
Perl repository

=item *

The command line tools shipped with the interpreter that are developed in the
core Perl repository

=back

Files under the F<cpan/> directory in Perl's repository and release tarballs are
developed and maintained independently. The Perl security team does not
directly handle security issues for these modules, but since this code is
bundled with Perl, we will assist in forwarding the issue to the relevant
maintainer(s) and you can still report these issues to us in secrecy.

=head2 Bugs that may qualify as security issues in Perl

Perl is designed to be a fast and flexible general purpose programming
language. The Perl interpreter and Perl modules make writing safe and
secure applications easy, but they do have limitations.

As a general rule, a bug in Perl needs to meet all of the following
criteria to be considered a security issue:

=over

=item *

The vulnerable behavior is not mentioned in Perl's documentation
or public issue tracker.

=item *

The vulnerable behavior is not implied by an expected behavior.

=item *

The vulnerable behavior is not a generally accepted limitation of
the implementation.

=item *

The vulnerable behavior is likely to be exposed to attack in
otherwise secure applications written in Perl.

=item *

The vulnerable behavior provides a specific tangible benefit
to an attacker that triggers the behavior.

=back

=head2 Bugs that do not qualify as security issues in Perl

There are certain categories of bugs that are frequently reported to
the security team that do not meet the criteria listed above.

The following is a list of commonly reported bugs that are not
handled as security issues.

=head3 Feeding untrusted code to the interpreter

The Perl parser is not designed to evaluate untrusted code.
If your application requires the evaluation of untrusted code, it
should rely on an operating system level sandbox for its security.

=head3 Stack overflows due to excessive recursion

Excessive recursion is often caused by code that does
not enforce limits on inputs. The Perl interpreter assumes limits
on recursion will be enforced by the application.

=head3 Out of memory errors

Common Perl constructs such as C<pack>, the C<x> operator,
and regular expressions accept numeric quantifiers that control how
much memory will be allocated to store intermediate values or results.
If you allow an attacker to supply these quantifiers and consume all
available memory, the Perl interpreter will not prevent it.

=head3 Escape from a L<Safe> compartment

L<Opcode> restrictions and L<Safe> compartments are not supported as
security mechanisms. The Perl parser is not designed to evaluate
untrusted code.

=head3 Use of the C<p> and C<P> pack templates

These templates are unsafe by design.

=head3 Stack not reference-counted issues

These bugs typically present as use-after-free errors or as assertion
failures on the type of a C<SV>. Stack not reference-counted
crashes usually occur because code is both modifying a reference or
glob and using the values referenced by that glob or reference.

This type of bug is a long standing issue with the Perl interpreter
that seldom occurs in normal code. Examples of this type of bug
generally assume that attacker-supplied code will be evaluated by
the Perl interpreter.

=head3 Thawing attacker-supplied data with L<Storable>

L<Storable> is designed to be a very fast serialization format.
It is not designed to be safe for deserializing untrusted inputs.

=head3 Using attacker supplied L<SDBM_File> databases

The L<SDBM_File> module is not intended for use with untrusted SDBM
databases.

=head3 Badly encoded UTF-8 flagged scalars

This type of bug occurs when the C<:utf8> PerlIO layer is used to
read badly encoded data, or other mechanisms are used to directly
manipulate the UTF-8 flag on an SV.

A badly encoded UTF-8 flagged SV is not a valid SV. Code that
creates SV's in this fashion is corrupting Perl's internal state.

=head3 Issues that exist only in blead, or in a release candidate

The blead branch and Perl release candidates do not receive security
support. Security defects that are present only in pre-release
versions of Perl are handled through the normal bug reporting and
resolution process.

=head3 CPAN modules or other Perl project resources

The Perl security team is focused on the Perl interpreter and modules
maintained in the core Perl codebase. The team has no special access
to fix CPAN modules, applications written in Perl, Perl project websites,
Perl mailing lists or the Perl IRC servers.

=head3 Emulated POSIX behaviors on Windows systems

The Perl interpreter attempts to emulate C<fork>, C<system>, C<exec>
and other POSIX behaviors on Windows systems. This emulation has many
quirks that are extensively documented in Perl's public issue tracker.
Changing these behaviors would cause significant disruption for existing
users on Windows.

=head2 Bugs that require special categorization

Some bugs in the Perl interpreter occur in areas of the codebase that are
both security sensitive and prone to failure during normal usage.

=head3 Regular expressions

Untrusted regular expressions are generally safe to compile and match against
with several caveats. The following behaviors of Perl's regular expression
engine are the developer's responsibility to constrain.

The evaluation of untrusted regular expressions while C<use re 'eval';> is
in effect is never safe.

Regular expressions are not guaranteed to compile or evaluate in any specific
finite time frame.

Regular expressions may consume all available system memory when they are
compiled or evaluated.

Regular expressions may cause excessive recursion that halts the perl
interpreter.

As a general rule, do not expect Perl's regular expression engine to
be resistant to denial of service attacks.

=head3 L<DB_File>, L<ODBM_File>, or L<GDBM_File> databases

These modules rely on external libraries to interact with database files.

Bugs caused by reading and writing these file formats are generally caused
by the underlying library implementation and are not security issues in
Perl.

Bugs where Perl mishandles unexpected valid return values from the underlying
libraries may qualify as security issues in Perl.

=head3 Algorithmic complexity attacks

The perl interpreter is reasonably robust to algorithmic complexity
attacks. It is not immune to them.

Algorithmic complexity bugs that depend on the interpreter processing
extremely large amounts of attacker supplied data are not generally handled
as security issues.

See L<perlsec/Algorithmic Complexity Attacks> for additional information.

=head1 HOW WE DEAL WITH SECURITY ISSUES

The Perl security team follows responsible disclosure practices. Security issues
are kept secret until a fix is readily available for most users. This minimizes
inherent risks users face from vulnerabilities in Perl.

Hiding problems from the users temporarily is a necessary trade-off to keep
them safe. Hiding problems from users permanently is not the goal.

When you report a security issue privately to the
L<perl-security@perl.org|mailto:perl-security@perl.org> contact address, we
normally expect you to follow responsible disclosure practices in the handling
of the report. If you are unable or unwilling to keep the issue secret until
a fix is available to users you should state this clearly in the initial
report.

The security team's vulnerability remediation workflow is intended to be as
open and transparent as possible about the state of your security report.

=head2 Perl's vulnerability remediation workflow

=head3 Initial contact

New vulnerability reports will receive an initial reply within 72 hours
from the time they arrive at the security team's mailing list. If you do
not receive any response in that time, contact the
L<Perl Steering Council|mailto:steering-council@perl.org>.

The initial response sent by the security team will confirm your message was
received and provide an estimated time frame for the security team's
triage analysis.

=head3 Initial triage

The security team will evaluate the report and determine whether or not
it is likely to meet the criteria for handling as a security issue.

The security team aims to complete the initial report triage within
two weeks' time. Complex issues that require significant discussion or
research may take longer.

If the security report cannot be reproduced or does not meet the team's
criteria for handling as a security issue, you will be notified by email
and given an opportunity to respond.

=head3 CVE assignment

Security reports that pass initial triage analysis are turned into CVEs.
When a report progresses to this point, one or more CVEs are reserved by
the security team. Issue identifiers have the form CVE-YYYY-NNNNN, where
YYYY is the year the CVE was reported, and NNNNN is a unique number. The
CVE will be used in any subsequent communications about the issue.

The assignment of these IDs do not confirm that a security report represents
a vulnerability in Perl. Many reports require further analysis to reach that
determination. The vulnerability should not be discussed publicly at this stage.

An internal ticket will also be opened. These identifiers have the format
perl-security#NNN or Perl/perl-security#NNN.

Issues in the security team's private tracker are used to collect details
about the problem and track progress towards a resolution. These notes and
other details are not made public when the issue is resolved. Keeping the
issue notes private allows the security team to freely discuss attack
methods, attack tools, and other related private issues.

=head3 Development of patches

Members of the security team will inspect the report and related code in
detail to produce fixes for supported versions of Perl.

If the team discovers that the reported issue does not meet the team's
criteria at this stage, you will be notified by email and given an
opportunity to respond before the issue is closed.

The team may discuss potential fixes with you or provide you with
patches for testing purposes during this time frame.

=head3 The CVE is drafted

Once an issue is fully confirmed and a potential fix has been found,
the security team will communicate with the
L<CPAN Security Group CNA|https://security.metacpan.org/>.

Details like the range of vulnerable Perl versions and identities
of the people that discovered the flaw need to be collected.

The security team may ask you to clarify the exact name we should use
when crediting discovery of the issue. The
L</Vulnerability credit and bounties> section of this document
explains our preferred format for this credit.

=head3 Pre-release notifications

When the security team is satisfied that the fix for a security issue
is ready to release publicly, a pre-release notification announcement
is sent to the L<Openwall Distros List|https://oss-security.openwall.org/wiki/mailing-lists/distros>.
Additional other repackagers are notified.

NOTE: Any embargoed information sent to the Openwall Distros List
expires within 2 weeks of disclosure to that location.

This pre-release announcement includes a list of Perl versions that
are affected by the flaw, an analysis of the risks to users, patches
the security team has produced, and any information about mitigations
or backporting fixes to older versions of Perl that the security team
has available.

The pre-release announcement will include a specific target date
when the issue will be announced publicly. The time frame between
the pre-release announcement and the release date allows redistributors
to prepare and test their own updates and announcements. During this
period the vulnerability details and fixes are embargoed (see L</Embargo Period> )
and should not be shared publicly. This L</Embargo Period> may be extended further if
problems are discovered during testing.

You will be sent the portions of pre-release announcements that are
relevant to the specific issue you reported. This email will include
the target release date. Additional updates will be sent if the
target release date changes.

=head3 Pre-release testing

The Perl security team does not directly produce official Perl
releases. The team releases security fixes by placing commits
in Perl's public git repository and sending announcements.

Many users and redistributors prefer using official Perl releases
rather than applying patches to an older release. The security
team works with Perl's release managers to make this possible.

New official releases of Perl are generally produced and tested
on private systems during the pre-release L</Embargo Period>.

=head3 Release of fixes and announcements

The L</Embargo Period> ends when the security fixes are committed to Perl's
public git repository. Announcements will be sent to the 
L<perl5-porters|https://lists.perl.org/list/perl5-porters.html> and 
L<oss-security|https://oss-security.openwall.org/wiki/mailing-lists/oss-security>
mailing lists.

If official Perl releases are ready, they will be published at this time
and announced on the L<perl5-porters|https://lists.perl.org/list/perl5-porters.html>
mailing list.

The security team will send a follow-up notification to everyone that
participated in the pre-release L</Embargo Period> once the release process is
finished. Vulnerability reporters and Perl redistributors should not publish
their own announcements or fixes until the Perl security team's release process
is complete.

=head2 Publicly known and zero-day security issues

The security team's vulnerability remediation workflow assumes that issues
are reported privately and kept secret until they are resolved. This isn't
always the case and information occasionally leaks out before a fix is ready.

In these situations the team must decide whether operating in secret increases
or decreases the risk to users of Perl. In some cases being open about
the risk a security issue creates will allow users to defend against it,
in other cases calling attention to an unresolved security issue will
make it more likely to be misused.

=head3 Zero-day security issues

If an unresolved critical security issue in Perl is being actively abused to
attack systems the security team will send out announcements as rapidly as
possible with any mitigations the team has available.

Perl's public defect tracker will be used to handle the issue so that additional
information, fixes, and CVE IDs are visible to affected users as rapidly as
possible.

=head3 Other leaks of security issue information

Depending on the prominence of the information revealed about a security
issue and the issue's risk of becoming a zero-day attack, the security team may
skip all or part of its normal remediation workflow.

If the security team learns of a significant security issue after it has been
identified and resolved in Perl's public issue tracker, the team will
request a CVE ID and send an announcement to inform users.

=head2 Vulnerability credit and bounties

The Perl project appreciates the effort security researchers invest in making
Perl safe and secure.

Since much of this work is hidden from the public, crediting researchers
publicly is an important part of the vulnerability remediation process.

=head3 Credits in vulnerability announcements

When security issues are fixed we will attempt to credit the specific
researcher(s) that discovered the flaw in our announcements.

Credits are announced using the researcher's preferred full name.

If the researcher's contributions were funded by a specific company or
part of an organized vulnerability research project, we will include
a short name for this group at the researcher's request.

Perl's announcements are written in the English language using the 7bit
ASCII character set to be reproducible in a variety of formats. We
do not include hyperlinks, domain names or marketing material with these
acknowledgments.

In the event that proper credit for vulnerability discovery cannot be
established or there is a disagreement between the Perl security team
and the researcher about how the credit should be given, it will be
omitted from announcements.

=head3 Bounties for Perl vulnerabilities

The Perl project is a non-profit volunteer effort. We do not provide
any monetary rewards for reporting security issues in Perl.

=head2 Embargo Period

In the context of Perl's coordinated vulnerability disclosure process, an "embargo"
refers to the period of time during which information about a reported vulnerability
is kept confidential. This embargo begins when a security issue is reported to the
Perl security team and lasts until a fix has been developed and a fix is provided
in a public location.

The purpose of the embargo is to allow the security team to work on a fix
and prepare a coordinated release without the risk of the vulnerability being
exploited or disclosed prematurely. This helps ensure that users of Perl
and its modules are protected from potential attacks while the security
issue is being addressed.

Embargo lengths can vary depending on the complexity of the issue and the
time required to develop a fix. The security team will communicate
the expected duration of the embargo to the reporter and any other
parties involved in the process. 

As a goal, the security team aims to keep the total embargo period to less
than 60 days. This may be extended due to the following factors: 

=over 4

=item *

The complexity of the issue

=item *

The time required to develop a fix

=item *

The need for additional testing or validation

=item *

The availability of resources to address the issue

=item *

Public holidays which might affect the ability of end users to apply the fix.

=back

During this period:

=over 4

=item *

Details of the vulnerability are shared only with a restricted group of trusted contributors
(such as core maintainers, toolchain maintainers, and packagers), solely for the purpose
of preparing and testing a fix.

=item *

Reporters are asked not to disclose the issue publicly or share details with third parties
until the embargo is lifted.

=item *

The duration of the embargo may vary depending on the severity and complexity of the issue,
but typically lasts until the relevant security patch is released and announced.

=item *

Breaking the embargo — by prematurely disclosing details — undermines the coordinated
disclosure process and can hinder the coordinated effort to protect users effectively.

=back

The Perl security team strives to resolve vulnerabilities promptly and encourages all parties
to respect the embargo period to help protect users and downstream distributions.

=head2 Example Release Process

This section provides an example of how a security issue reported by a third
party might be handled by the Perl security team, from the initial report to
the final release.

=head3 Step 1: Reporting the Vulnerability

A security researcher discovers a vulnerability in the Perl interpreter that
allows an attacker to cause a denial of service under specific conditions. The
researcher emails the details of the issue to
L<perl-security@perl.org|mailto:perl-security@perl.org>, including a
proof-of-concept script and a description of the impact.

=head3 Step 2: Initial Response

Within 72 hours, the security team acknowledges receipt of the report and
confirms that the issue is under investigation. The researcher is informed of
the expected timeline for triage.

=head3 Step 3: Initial Triage

The security team reproduces the issue using the provided proof-of-concept and
determines that it meets the criteria for handling as a security issue. One or
more CVEs are reserved in coordination with the
L<CPAN Security Group CNA|https://security.metacpan.org/2025/02/25/cpansec-is-cna-for-perl-and-cpan.html>.
The team notifies the researcher referencing the CVE IDs.

=head3 Step 4: Development of a Fix

The security team analyzes the affected code and develops a patch to address
the vulnerability. The patch is tested against various scenarios to ensure it
resolves the issue without introducing regressions. The researcher is invited
to test the patch privately and provide feedback.

=head3 Step 5: Pre-Release Notification

The security team prepares a pre-release notification, including details of
the vulnerability, the affected Perl versions, and the patch. This notification
is sent to major redistributors of Perl under embargo, giving them time to
prepare their own updates.

=head3 Step 6: Pre-Release Testing

During the remaining embargo period, pre-notified redistributors prepare packages
for release and test the patch to ensure compatibility with their systems.

=head3 Step 7: Public Release

On the scheduled release date, the patch is committed to Perl's public git
repository. An official announcement is sent to the
L<perl5-porters|https://lists.perl.org/list/perl5-porters.html> and
L<oss-security|https://oss-security.openwall.org/wiki/mailing-lists/oss-security>
mailing lists. If applicable, a new Perl release containing the fix is
published.

The security team will notify CPAN Security Group CNA to publish the CVE.

=head3 Step 8: Vendor and Third-Party Updates

Vendors and third-party maintainers incorporate the patch or updated Perl
release into their distributions. The security team follows up with all
parties involved to ensure the issue is resolved and users are protected.

=cut