Document the security team's processes and practices

Add a new perlsecpolicy POD file with detailed descriptions
of the security team's vulnerability remediation workflow and
the criteria used to distinguish security issues from other
types of bugs.

This also switches the team's public contact address to
perl-security@perl.org, and updates the security contact
information shown in github's issue interface.

1 files changed, 35 insertions, 5 deletions

diff --git a/SECURITY.md b/SECURITY.md
index 856dbceaca..6cf958715c 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,13 +1,43 @@
 # Security Policy
 
+Perl's vulnerability handling policies are described fully in
+[perlsecpolicy]
+
 ## Reporting a Vulnerability
 
-If you believe you have found a security vulnerability in Perl, please email the details to perl5-security-report@perl.org
+If you believe you have found a security vulnerability in the Perl
+interpreter or modules maintained in the core Perl codebase, email
+the details to perl-security@perl.org. This address is a closed
+membership mailing list monitored by the Perl security team.
+
+You should receive an initial response to your report within 72 hours.
+If you do not receive a response in that time, please contact
+the security team lead [John Lightsey](mailto:john@04755.net) and
+the Perl pumpking [SawyerX](mailto:xsawyerx@cpan.org).
+
+When members of the security team reply to your messages, they will
+generally include the perl-security@perl.org address in the "To" or "CC"
+fields of the response. This allows all of the security team to follow
+the discussion and chime in as needed. Use the "Reply-all" functionality
+of your email client when you send subsequent responses so that the
+entire security team receives the message.
 
-This creates a new Request Tracker ticket in a special queue which isn't initially publicly accessible. The email will also be copied to a closed subscription unarchived mailing list which includes all the core committers, who will be able to help assess the impact of issues, figure out a resolution, and help co-ordinate the release of patches to mitigate or fix the problem across all platforms on which Perl is supported. Please only use this address for security issues in the Perl core, not for modules independently distributed on CPAN.
+The security team will evaluate your report and make an initial
+determination of whether it is likely to fit the scope of issues the
+team handles. General guidelines about how this is determined are
+detailed in the ["WHAT ARE SECURITY ISSUES"] section of [perlsecpolicy].
 
-When sending an initial request to the security email address, please don't Cc any other parties, because if they reply to all, the reply will generate yet another new ticket. Once you have received an initial reply with a [perl #NNNNNN] ticket number in the headline, it's okay to Cc subsequent replies to third parties: all emails to the perl5-security-report address with the ticket number in the subject line will be added to the ticket; without it, a new ticket will be created.
+If your report meets the team's criteria, an issue will be opened in the
+team's private issue tracker and you will be provided the issue's ID number.
+Issue identifiers have the form perl-security#NNN. Include this identifier
+with any subsequent messages you send.
 
-## PerlSec
+The security team will send periodic updates about the status of your
+issue and guide you through any further action that is required to complete
+the vulnerability remediation process. The stages vulnerabilities typically
+go through are explained in the ["HOW WE DEAL WITH SECURITY ISSUES"]
+section of [perlsecpolicy].
 
-Read more at https://perldoc.perl.org/perlsec.html
+[perlsecpolicy]: pod/perlsecpolicy.pod
+["WHAT ARE SECURITY ISSUES"]: pod/perlsecpolicy.pod#what-are-security-issues
+["HOW WE DEAL WITH SECURITY ISSUES"]: pod/perlsecpolicy.pod#how-we-deal-with-security-issues