Announcing the April Task Force
CPAN Security Group (CPANSec) and The Perl and Raku Foundation (TPRF) are happy to announce the April Task Force. This project is set up to strengthen the CPANSec CNA Function, improve the security posture of CPAN and Perl, and to help prepare these communities for the impact expected from the general availability of security analysis-capable Large Language Models.
The April Task Force is fiscally hosted by The Perl and Raku Foundation and backed by a USD 250,000.00 grant from Linux Foundation and OpenSSF through the Alpha-Omega project.
This funding follows the September 2025 OpenSSF open letter and the wider recognition that the major package registries – CPAN among them – need structured investment to keep pace with commercial-scale use.
Scope and work
The task force will be focusing on:
- Streamlining CVE processes and CNA function — including workflow tooling for triage, creation, verification, and publishing
- Vulnerability work — measurable backlog reduction in core Perl, CPAN tooling, and critical distributions
- Supply chain security — improved CPAN maturity against the OpenSSF Principles for Package Repository Security
- Long-term sustainability and funding of the Perl and CPAN security communities and ecosystem
- Participation in and contribution to Alpha-Omega’s Security engineers-in-residence program, and cross-ecosystem forum for package registries
The team
- Leon Timmermans
- Perl Steering Council member; Core Perl security, encryption-related modules
- Olaf Alders
- MetaCPAN founder; CPAN publishing infrastructure, auditing CVE findings, maintainer outreach, patches development; Grant manager
- Paul Johnson
- Devel::Cover project lead; CPAN XS distributions, process automation
- Robert Rothenberg
- Long-term contributor to open source and Perl; Vulnerability research, CVE reporting, communication, triage workflow
- Salve J. Nilsen
- Long-term Perl community volunteer; Project facilitation, organizational design, policy, compliance and metadata, sustainability
- Stig Palmquist
- Vulnerability research, exploit development, CNA process
- Timothy Legge
- Cybersecurity professional; CNA process, triage workflow, vulnerability research
Fiscal host: The Perl and Raku Foundation
The Perl and Raku Foundation has predominantly assumed a “hands-off” role in the Perl and Raku communities, following a “servant leadership” philosophy for supporting these.
With this funding, the foundation for the first time puts on the mantle of a facilitator and fiscal host.
This is both in recognition of the changing legislative landscape, where EU regulations like NIS2 and CRA will require businesses to secure their applications, services and products – and that these changes in this landscape are likely to affect the Open Source Software projects affected businesses rely on.
While the core activities that make Open Source fun and worth doing should remain and be protected, there is new work laid before us. Some of it is necessary, but too tedious to attract volunteers.
A change in how Perl and CPAN Security can be supported
In their grant letter, the Linux Foundation state it succinctly.
Perl [is] among the most critical and widely-used projects in the open-source ecosystem, and any vulnerabilities therein would have a significant impact on The Linux Foundation’s members, and the public at large.
Every major commercial user of Perl is already paying for some version of this work. Internal teams monitor CPAN advisories, maintain private patches, respond to incidents under time pressure, and absorb the cost of unaddressed backlogs when something surfaces. Today, none of this shows up as a budget line item called “CPAN security”, even if the cost is real and being paid needlessly in parallel across the industry.
The April Task Force provides a new opportunity to facilitate a “shift left” for cost-saving across the industry. To enable this, TPRF is establishing a mechanism for ongoing corporate sponsorship of this work; details will follow in the foundation’s revised fundraising goals.
Furthermore, we are exploring novel funding mechanisms expected through the EU Cyber Resilience Act, to facilitate the support of Perl and CPAN projects and communities through offering compliance-relevant assurances.
How to engage
- Report vulnerabilities through the CPAN Security Group.
- Engage directly with the CPAN Security Group on enterprise concerns.
- Allocate software engineering and security champion resources to OSS security work.
- Prepare your budgets for sustained support of your digital infrastructure commons.
The digital commons Perl and CPAN are part of, and industry relies on, cannot thrive on bystanders. Industry engagement is key both for its own long-term security posture, and for society at large.
About the CPAN Security Group
The CPAN Security Group (CPANSec) is a group of volunteers from the Perl community who work to support the security of the Perl ecosystem through education and outreach, security analysis of open source Perl distributions on CPAN, and support for fixing security vulnerabilities. CPANSec was founded at the Perl Toolchain Summit 2023 in Lyon.
About the Perl and Raku Foundation
The Perl and Raku Foundation (TPRF) is a volunteer-led 501(c)(3) non-profit dedicated to advancing the Perl and Raku programming languages. The foundation provides financial, legal, and organizational stewardship that keeps both languages freely available and actively developed — funding core maintenance and development grants, producing community conferences, and supporting shared infrastructure and user groups.
Links
- CPAN Security Group: https://security.metacpan.org
- The Perl and Raku Foundation: https://www.perlfoundation.org
- September 2025 OpenSSF open letter: https://openssf.org/blog/2025/09/23/open-infrastructure-is-not-free-a-joint-statement-on-sustainable-stewardship/
- Alpha-Omega: https://alpha-omega.dev