CPANSec is now CNA!

Years ago, a few people decided during the Perl Toolchain Summit (PTS) that it would be a good idea to join forces, ideas and knowledge and start a group to monitor vulnerabilities in the complete perl ecosystem form core to the smallest CPAN release. The goal was to follow legislation and CVE reports, and help authors in taking actions on not being vulnerable anymore.

That group has grown stable over the past years and is now known as CPANSec

The group has several focus areas, and one of them is channeling CVE vulnerability issues.

In that specific goal, a milestone has been reached:

CPANSec has just been authorized as a CVE Numbering Authority (CNA) for Perl and modules on CPAN 📣🎉🥳👌

The CPAN Security Group was authorized by the CVE Program as a CVE Numbering Authority (CNA) on Feb 25, 2025. A CNA assigns and manages CVE identifiers for projects in their scope.

Our scope is vulnerabilities in Perl and CPAN Modules (including End-of-Life Perl versions) found at perl.org, cpan.org or metacpan.org, excluding distributions of Perl or CPAN Modules maintained by third-party redistributors.

CVE is an international, community-based effort to identify, define and catalog publicly disclosed software vulnerabilities. To learn more about the CVE program, visit www.cve.org.

Report Vulnerability

Vulnerabilities should be reported according to the security policy of the affected project.

For more details, see our guide on how to Report a Security Issue in Perl and the CPAN ecosystem.

Contact Us

To request a CVE identifier, or to update a CVE we have issued, please send an email to cve-request@security.metacpan.org.

Subscribe to the cve-announce mailing list to be notified of new CVEs published by us.

For questions, disputes or other CNA related queries please use cna@security.metacpan.org. Disputes are handled according to the CNA rules.

Links

Enjoy, Have FUN! H.Merijn

Comment on CPANSec is now CNA!


laziness, impatience, and hubris
	PerlMonks