Note: sent to modules list but copied to Brian D Foy as author of CPAN::Audit. There isn't a policy or central place for reporting security issues with CPAN modules that are not part of the Perl core. Should there be one? I have reported a couple of security issues to module authors, and have yet to receive replies. One of them is a well-used module, and I've not received a reply after several months. Another has a CVE associated with a library that it uses, so I've reported that separately to CPAN::Audit but that's still not a satisfactory way of reporting or handling issues. Beyond asking around on forums "Is anyone in touch with this module author? I need to get in touch with them" I'm unsure where to go. This feels unsatisfactory. But I'm not sure what a good alternative is yet.