[ANN] OCaml security team

Dear everyone,

We are starting an effort to push security into OCaml. This is based on discussions in the OCaml Software Foundation with industry partners. The main goal is to have best practises similar to those of other programming language ecosystems.

Reporting security issues

This entails a point of contact for the security team - which deals with communication between the person who found a security-relevant problem in OCaml software (named “reporter”), who can then contact us - the security team - instead of using a public bug tracker, and the upstream OCaml developer(s).

We, the security team, will establish the three-way communication, and since we have a documented security disclosure process (which will be published soon), we will guide everyone through the process and ensure that timelines are met, CVE numbers are assigned, …

Team composition

The OCaml security team currently consists of individual security experts and individuals representing company sponsors of the OCaml Software Foundation. Individual members participating on a personal capacity may be compensated for their time from the OCaml Software Foundation.

The team currently consists of 7 members

• Hannes Mehnert hannesm (Hannes Mehnert) · GitHub - individual, chair
• Mindy yomimono (yomimono) · GitHub - individual
• Joe cfcs (C For C's Sake) · GitHub - individual
• Edwin Török edwintorok (Török Edwin) · GitHub - individual
• Nicolás Ojeda Bär nojb (Nicolás Ojeda Bär) · GitHub - LexiFi
• Louis Roché Khady (Louis) · GitHub - ahrefs
• Maxim Grankin maxim092001 (Maxim Grankin) · GitHub - Bloomberg

We’re in the process to formalise the responsibilities of the team, our proposed disclosure process, and how to join & leave the team.

Funding for security actions

In complement to the security disclosure process, we will accept funding requests for projects that make OCaml more secure (including guidelines how to develop OCaml in a secure way/what are common pitfalls; static analysis; dissemination tools; …). The OCaml Software Foundation will provide funding for these security actions. After this summer we will discuss this in more depth with the community.

Next steps

We will setup a website (similar to what Haskell has at Security) soon, and provide an email address for contacting us - security At ocamlDoT org is forwarding to our team. We will also setup a mailing list for security announcements.

But more on that at a later point, this brief post is mainly about the fact that this team starts to exist now, and is working on improving the security story of OCaml.

If you have any questions for now, please feel free to discuss them in this announcement. Please be aware that it is vacation time soon, so we may not be very responsive.

We will set up a website (similar to what Haskell has at Security) soon

The ocaml.org maintenance team will happily help hosting the OCaml Security Team pages, maybe at ocaml.org/security. We’d provide support to seamlessly integrate the security team’s content and give it maximum visibility.