Add a security policy

Author: timlegge

Makefile.PL

@@ -7,7 +7,7 @@ use ExtUtils::MakeMaker;
 
 my %WriteMakefileArgs = (
   "ABSTRACT" => "A toolkit to help sign and verify XML Digital Signatures.",
-  "AUTHOR" => "Byrne Reese <byrne\@cpan.org>, Timothy Legge <timlegge\@cpan.org>",
+  "AUTHOR" => "Timothy Legge <timlegge\@gmail.com>",
   "CONFIGURE_REQUIRES" => {
     "ExtUtils::MakeMaker" => 0
   },

README

@@ -300,10 +300,8 @@ AUTHORS and CREDITS
 
     Maintainer: Timothy Legge <timlegge@cpan.org>
 
-AUTHORS
-    *   Byrne Reese <byrne@cpan.org>
-
-    *   Timothy Legge <timlegge@cpan.org>
+AUTHOR
+    Timothy Legge <timlegge@gmail.com>
 
 COPYRIGHT AND LICENSE
     This software is copyright (c) 2025 by Byrne Reese, Chris Andrews and

SECURITY.md

@@ -0,0 +1,95 @@
+# Security Policy for the XML-Sig distribution.
+
+Report security issues by email to Timothy Legge <timlegge@gmail.com>.
+
+This is the Security Policy for XML-Sig.
+
+This text is based on the CPAN Security Group's Guidelines for Adding
+a Security Policy to Perl Distributions (version 1.3.0)
+https://security.metacpan.org/docs/guides/security-policy-for-authors.html
+
+# How to Report a Security Vulnerability
+
+Security vulnerabilities can be reported to the current XML-Sig
+maintainers by email to Timothy Legge <timlegge@gmail.com>.
+
+Please include as many details as possible, including code samples
+or test cases, so that we can reproduce the issue.  Check that your
+report does not expose any sensitive data, such as passwords,
+tokens, or personal information.
+
+If you would like any help with triaging the issue, or if the issue
+is being actively exploited, please copy the report to the CPAN
+Security Group (CPANSec) at <cpan-security@security.metacpan.org>.
+
+Please *do not* use the public issue reporting system on RT or
+GitHub issues for reporting security vulnerabilities.
+
+Please do not disclose the security vulnerability in public forums
+until past any proposed date for public disclosure, or it has been
+made public by the maintainers or CPANSec.  That includes patches or
+pull requests.
+
+For more information, see
+[Report a Security Issue](https://security.metacpan.org/docs/report.html)
+on the CPANSec website.
+
+## Response to Reports
+
+The maintainer(s) aim to acknowledge your security report as soon as
+possible.  However, this project is maintained by a single person in
+their spare time, and they cannot guarantee a rapid response.  If you
+have not received a response from them within 2 weeks, then
+please send a reminder to them and copy the report to CPANSec at
+<cpan-security@security.metacpan.org>.
+
+Please note that the initial response to your report will be an
+acknowledgement, with a possible query for more information.  It
+will not necessarily include any fixes for the issue.
+
+The project maintainer(s) may forward this issue to the security
+contacts for other projects where we believe it is relevant.  This
+may include embedded libraries, system libraries, prerequisite
+modules or downstream software that uses this software.
+
+They may also forward this issue to CPANSec.
+
+# Which Software This Policy Applies To
+
+Any security vulnerabilities in XML-Sig are covered by this policy.
+
+Security vulnerabilities in versions of any libraries that are
+included in XML-Sig are also covered by this policy.
+
+Security vulnerabilities are considered anything that allows users
+to execute unauthorised code, access unauthorised resources, or to
+have an adverse impact on accessibility or performance of a system.
+
+Security vulnerabilities in upstream software (prerequisite modules
+or system libraries, or in Perl), are not covered by this policy
+unless they affect XML-Sig, or XML-Sig can
+be used to exploit vulnerabilities in them.
+
+Security vulnerabilities in downstream software (any software that
+uses XML-Sig, or plugins to it that are not included with the
+XML-Sig distribution) are not covered by this policy.
+
+## Supported Versions of XML-Sig
+
+The maintainer(s) will only commit to releasing security fixes for
+the latest version of XML-Sig.
+
+# Installation and Usage Issues
+
+The distribution metadata specifies minimum versions of
+prerequisites that are required for XML-Sig to work.  However, some
+of these prerequisites may have security vulnerabilities, and you
+should ensure that you are using up-to-date versions of these
+prerequisites.
+
+Where security vulnerabilities are known, the metadata may indicate
+newer versions as recommended.
+
+## Usage
+
+Please see the software documentation for further information.

cpanfile

@@ -39,6 +39,7 @@ on 'configure' => sub {
 
 on 'develop' => sub {
   requires "Pod::Coverage::TrustPod" => "0";
+  requires "Software::Security::Policy::Individual" => "0";
   requires "Test::EOF" => "0";
   requires "Test::EOL" => "0";
   requires "Test::More" => "0.88";

dist.ini

@@ -1,7 +1,7 @@
 name    = XML-Sig
 abstract = A toolkit to help sign and verify XML Digital Signatures.
-author  = Byrne Reese <byrne@cpan.org>
-author  = Timothy Legge <timlegge@cpan.org>
+;author  = Byrne Reese <byrne@cpan.org>
+author  = Timothy Legge <timlegge@gmail.com>
 copyright_holder = Byrne Reese, Chris Andrews and Others, see the git log
 ; [...]
 license = Perl_5
@@ -47,6 +47,7 @@ exclude_filename = dev-bin/cpanm
 exclude_filename = Dockerfile
 exclude_filename = MANIFEST
 exclude_filename = README
+exclude_filename = SECURITY.md
 
 [Encoding]
 encoding = bytes
@@ -58,9 +59,10 @@ match = ico
 copy = cpanfile
 copy = Makefile.PL
 copy = README
+copy = SECURITY.md
 
 [CopyFilesFromRelease]
-copy = cpanfile, Makefile.PL, README
+copy = cpanfile, Makefile.PL, README, SECURITY.md
 
 [MetaJSON]
 [MetaProvides::Package]
@@ -88,6 +90,10 @@ version_regexp  = ^(0.\d+)$   ; this is the default
 [OurPkgVersion]
 [WriteVersion]
 
+[SecurityPolicy]
+-policy = Individual
+timeframe = 2 weeks
+
 [Git::Tag]
 tag_format  = %V       ; this is the default
 tag_message = %V       ; this is the default