FWIW, someone involved in finding the perl vulnerability filed a bug report about 3 weeks ago asking where to non-publicly report such vulnerabilities. The p5p hive mind responded with conflicting messages (which it seems he never even got.)
Myself, I didn't pay much attention, because the reporter only idenfied himself as "Jack" and used erratic grammar, capitalization, and punctuation.
He addressed his message to several perl.org addresses, I think not all of them even valid, perlbug just happening to be one of them.
Oh, well.