develooper Front page | perl.modules | Postings from June 2022

Should there be a policy for handling security reports for CPANmodules in general?

From:
Robert Rothenberg
Date:
June 20, 2022 10:51
Subject:
Should there be a policy for handling security reports for CPANmodules in general?
Message ID:
6e2c336b-2b89-e1f6-a1aa-00253d6591f2@cpan.org
Note: sent to modules list but copied to Brian D Foy as author of 
CPAN::Audit.

There isn't a policy or central place for reporting security issues with 
CPAN modules that are not part of the Perl core.

Should there be one?

I have reported a couple of security issues to module authors, and have 
yet to receive replies.

One of them is a well-used module, and I've not received a reply after 
several months.

Another has a CVE associated with a library that it uses, so I've 
reported that separately to CPAN::Audit but that's still not a 
satisfactory way of reporting or handling issues.

Beyond asking around on forums "Is anyone in touch with this module 
author? I need to get in touch with them" I'm unsure where to go.

This feels unsatisfactory.  But I'm not sure what a good alternative is yet.





nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About