OCaml Security
This page details the OCaml security disclosure process, including how to report vulnerabilities, the role and members of the OCaml Security Response Team (SRT), and their publications.
Reporting security issues
TheOCaml security advisory database documents known issues in OCaml libraries and open source tools. Anyone can report historical or low-impact issues as a PR to the security advisory database.
High-impact vulnerabilities should be reported privately tosecurity@ocaml.org (we do not use PGP). Alternatively, high-impact vulnerabilities can be reported via aprivate GitHub issue.
The Security Response Team (SRT) maintains asecurity disclosure process to coordinate security responses. Factors that influence whether or not we will deal with a report and embargo it include:
- How severe is the vulnerability?
- How widely used is the library or tool in which the issue occurs?
- Does the issue also affect other ecosystems, or is there already a security response underway? (We will not break someone else’s embargo.)
For example, a high-severity vulnerability affecting the OCaml toolchain or a popular library would likely warrant an embargo. If you are unsure, please contact the Security Response Team and we will help assess the impact.
OCaml Security Response Team
The OCaml Security Response Team coordinates security response for high-impact vulnerabilities, and maintains the advisory database and associated tooling.
The current members of the SRT are:
- Hannes Mehnert -@hannesm - individual, robur.coop
- Mindy Preston -@yomimono - individual
- Joe -@cfcs - individual
- Edwin Török -@edwintorok - individual
- Nicolás Ojeda Bär -@nojb - LexiFi
- Louis Roché -@Khady - ahrefs
- Boning Dong -@bn-d - Bloomberg
The SRT is an initiative of theOCaml Software Foundation
Former members
- May 2025 until December 2025: Maxim Grankin -@maxim092001 - Bloomberg
Mailing List For Security Announcements
On the publicmailing list ocsf-ocaml-security-announcements every security advisory will be published. Everyone can subscribe to the mailing list - it is only for security advisories (i.e. there won't be any discussion on the mailing list).
Security Guides
The SRT publishes security guides for OCaml programmers and project maintainers. Guides will be added or updated over time.
SRT Reports
Reports from the security report teamare available on GitHub.