After some miscommunication between various vendors and perl5-porters regarding a security issue in the Perl (5.8) Regular Expression engine, Nicholas Clark has announced perl5-security-report@perl.org as the mail address for reporting security issues with the Perl core.

This address is intended to be an address for reporting security issues with serious implications that you do not want to publish to a wider audience. It is not intended for reporting general (perceived or real) bugs with the Perl core or Perl modules.

Nicholas is looking for more subscribers to that list to get 99% reliability of a reply within 24 hours, 7 days a week, but I guess the criteria for subscribing to that list will be that you are in Good Standing with the Perl community and likely personally known and vouched for by at least one Perl committer.

The security problem that was briefly discussed in the CB seems to boil down to a vulnerability of your Perl program if you allow the user to submit regular expressions. All security announcements besides Nicholas' mail seem to be quite vague about the exact nature of the problem and I haven't looked at the code. The problem is already fixed in the Perl 5.10 engine, so if an upgrade or a patch to to 5.8.x is not in your plans, you can roll up this fix into your upgrade to Perl 5.10.