Note: sent to modules list but copied to Brian D Foy as author of
CPAN::Audit.
There isn't a policy or central place for reporting security issues with
CPAN modules that are not part of the Perl core.
Should there be one?
I have reported a couple of security issues to module authors, and have
yet to receive replies.
One of them is a well-used module, and I've not received a reply after
several months.
Another has a CVE associated with a library that it uses, so I've
reported that separately to CPAN::Audit but that's still not a
satisfactory way of reporting or handling issues.
Beyond asking around on forums "Is anyone in touch with this module
author? I need to get in touch with them" I'm unsure where to go.
This feels unsatisfactory. But I'm not sure what a good alternative is yet.
