At the Perl Toolchain Summit in April 2026, members of the CPANSec CNA discussed disclosure periods and decided to reduce the default disclosure date (“embargo”) for publishing vulnerabilities from 28 days to 14 days.
Some CPAN authors have expressed concerns about this change so we wanted to detail the reasons for this change:
- LLMs are accelerating vulnerability discovery, and many in the security community consider AI-discoverable issues to be effectively public already.
- This makes long embargoes riskier: users need timely information so they can mitigate, whether or not a fix is available upstream.
- Once we confirm a vulnerability, we assign a CVE identifier, notify the author, and set a planned disclosure date, after which the CVE is published.
- The default disclosure period is 14 days, but this is a recommendation, not a hard deadline. Maintainers who need more time can request an extension, and we will work with them.
See CPANSec Has Revised Our Default Disclosure Date for the full document.