From fc93bfcc33d225de265a0f3de6f85d911db4228b Mon Sep 17 00:00:00 2001
From: Toddr Bot <toddbot@rinaldo.us>
Date: Fri, 3 Apr 2026 21:08:03 +0000
Subject: [PATCH 1/2] Address 4 CPANTS experimental kwalitee recommendations

- Add 'provides' to META_MERGE in Makefile.PL (meta_yml_has_provides)
- Add SECURITY.md with contact info (has_security_doc, security_doc_contains_contact)
- Add CONTRIBUTING.md (has_contributing_doc)
- Update MANIFEST to include new files

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 CONTRIBUTING.md | 38 ++++++++++++++++++++++++++++++++++++++
 MANIFEST        |  2 ++
 Makefile.PL     |  6 ++++++
 SECURITY.md     | 22 ++++++++++++++++++++++
 4 files changed, 68 insertions(+)
 create mode 100644 CONTRIBUTING.md
 create mode 100644 SECURITY.md

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
new file mode 100644
index 0000000..dbcc916
--- /dev/null
+++ b/CONTRIBUTING.md
@@ -0,0 +1,38 @@
+# Contributing to Crypt::OpenSSL::RSA
+
+Thank you for your interest in contributing!
+
+## Getting Started
+
+```bash
+# Install build dependencies
+cpanm --notest Crypt::OpenSSL::Guess Crypt::OpenSSL::Random
+
+# Build and test
+perl Makefile.PL && make && make test
+```
+
+## Reporting Bugs
+
+Please open an issue at https://github.com/cpan-authors/Crypt-OpenSSL-RSA/issues with:
+- Your Perl version (`perl -v`)
+- Your OpenSSL version (`openssl version`)
+- A minimal reproducing script
+
+## Submitting Changes
+
+1. Fork the repository
+2. Create a feature branch
+3. Write tests for your changes
+4. Run the full test suite (`make test`)
+5. Submit a pull request
+
+## Code Style
+
+- Follow existing conventions in the codebase
+- XS changes must compile cleanly on OpenSSL 1.0.x, 1.1.x, 3.x, and LibreSSL
+- Use preprocessor conditionals to handle version differences (see `RSA.xs`)
+
+## Security Issues
+
+For security vulnerabilities, please see [SECURITY.md](SECURITY.md) instead of opening a public issue.
diff --git a/MANIFEST b/MANIFEST
index e02a384..bae4102 100644
--- a/MANIFEST
+++ b/MANIFEST
@@ -1,5 +1,6 @@
 AI_POLICY.md
 Changes
+CONTRIBUTING.md
 hints/MSWin32.pl
 LICENSE
 Makefile.PL
@@ -9,6 +10,7 @@ README
 README.md
 RSA.pm
 RSA.xs
+SECURITY.md
 t/bignum.t
 t/check_param.t
 t/crypto.t
diff --git a/Makefile.PL b/Makefile.PL
index 7fb2978..af966fe 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -40,6 +40,12 @@ WriteMakefile(
     'dist'  => { COMPRESS => 'gzip -9f', SUFFIX => 'gz', },
     'clean' => { FILES    => 'Crypt-OpenSSL-RSA-*' },
     'META_MERGE' => {
+        provides => {
+            'Crypt::OpenSSL::RSA' => {
+                file    => 'RSA.pm',
+                version => '0.37',
+            },
+        },
         recommends => {
             'Crypt::OpenSSL::Bignum' => 0,
         },
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..7147107
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,22 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in Crypt::OpenSSL::RSA, please report it responsibly.
+
+**Contact:** Todd Rinaldo <toddr@cpan.org>
+
+Please include:
+- A description of the vulnerability
+- Steps to reproduce the issue
+- Any relevant version or platform details
+
+We will acknowledge receipt within 48 hours and aim to provide an initial assessment within one week.
+
+## Supported Versions
+
+Security fixes are applied to the latest release. Users are encouraged to keep their installation up to date.
+
+## Scope
+
+This module is a Perl XS wrapper around OpenSSL's RSA implementation. Vulnerabilities in OpenSSL itself should be reported to the [OpenSSL security team](https://www.openssl.org/policies/secpolicy.html).

From 0523ffe442ff88e42fcc1412ab41728b5448f9ba Mon Sep 17 00:00:00 2001
From: Toddr Bot <toddbot@rinaldo.us>
Date: Fri, 3 Apr 2026 21:30:25 +0000
Subject: [PATCH 2/2] rebase: apply review feedback on #163

Here's the summary of changes:

- **SECURITY.md**: Added GitHub's private vulnerability reporting as the preferred contact method, with email as an alternative, per @toddr's request to prefer GitHub's security reporting mechanism
- **Makefile.PL**: Replaced hardcoded `version => '0.37'` with `version => MM->parse_version('RSA.pm')` in the `provides` metadata, using the EUMM technique to derive the version dynamically from `RSA.pm` per @toddr's request to avoid explicit versions in `Makefile.PL`
---
 Makefile.PL | 2 +-
 SECURITY.md | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/Makefile.PL b/Makefile.PL
index af966fe..ac5159f 100644
--- a/Makefile.PL
+++ b/Makefile.PL
@@ -43,7 +43,7 @@ WriteMakefile(
         provides => {
             'Crypt::OpenSSL::RSA' => {
                 file    => 'RSA.pm',
-                version => '0.37',
+                version => MM->parse_version('RSA.pm'),
             },
         },
         recommends => {
diff --git a/SECURITY.md b/SECURITY.md
index 7147107..344e82f 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,7 +4,9 @@
 
 If you discover a security vulnerability in Crypt::OpenSSL::RSA, please report it responsibly.
 
-**Contact:** Todd Rinaldo <toddr@cpan.org>
+**Preferred:** Use [GitHub's private vulnerability reporting](https://github.com/cpan-authors/Crypt-OpenSSL-RSA/security/advisories/new) to submit a report directly on GitHub.
+
+**Alternative:** Email Todd Rinaldo <toddr@cpan.org>
 
 Please include:
 - A description of the vulnerability