OCaml Security Team 2025 End-Of-Year Report

In May of 2025, the OCaml Software Foundation encouraged the formation of an OCaml Security Team, which would handle issues and provide guidance for improving software security in the OCaml ecosystem. Throughout 2025, the team has been building structure and procedures to accomplish these goals. A regular public update on the team’s activity is among many good ideas taken from the Haskell Security Response Team, and we hope the community will find this first public update useful.

The team consists of:

• Hannes Mehnert - @hannesm - individual, robur.coop
• Mindy Preston - @yomimono - individual
• Joe - @cfcs - individual
• Edwin Török - @edwintorok - individual
• Nicolás Ojeda Bär - @nojb - LexiFi
• Louis Roché - @Khady - ahrefs
• Boning Dong - Bloomberg

Until December 2025:

• Maxim Grankin - @maxim092001 - Bloomberg

The newly created website ocaml.org/security gives some guidelines for people finding security issues.

Contact and Disclosure Process

The team established a procedure for reporting security issues as one of its first activities. The security disclosure process is available at GitHub - ocaml/security-advisories: Advisories from the OCaml Security team . The OCaml Security Team can also be contacted at security@ocaml.org for matters besides vulnerability disclosure. Mails to security@ocaml.org are not public.

The public, announce-only mailing list Making sure you're not a bot! will broadcast information on security advisories.

These procedures were announced in July 2025.

Vulnerability Database

A public vulnerability database for OCaml software is another of the Security Team’s goals. We indend to accomplish this by publishing information from the existing, but empty GitHub - ocaml/security-advisories: Advisories from the OCaml Security team to the public osv.dev database (again borrowing a good idea from the Haskell SRT). Some work on a pipeline for publishing advisories there and backporting existing advisories is ongoing.

Tool development

An OCaml library that supports the package URL “purl” was developed and released to the opam-repository (GitHub - hannesm/purl: Package URL in OCaml, purl 1.0.0 (latest) · OCaml Package). In the process, we propose to make the policy for opam-repository more strict to have immutable packages (where the source is not modified): make the immutable policy stricter by hannesm · Pull Request #29072 · ocaml/opam-repository · GitHub. We also propose to integrate opam into the package URL specification add opam package url specification by hannesm · Pull Request #763 · package-url/purl-spec · GitHub.

The vulnerability database mentioned above hosts advisories in markdown (with some opam-file-format metadata header). We developed tooling to convert these into json (following the json schema from osv.dev). We also made OCaml/opam known for the schema Add the OPAM / OCaml ecosystem by hannesm · Pull Request #473 · ossf/osv-schema · GitHub.

Public Meetings and Presentations

On September 15, Hannes Mehnert gave an introduction to the OCaml Security Team at FUN OCaml in Warsaw.

Maxim Grankin gave a talk “Towards a More Secure OCaml Ecosystem” at the OCaml Users and Developers Workshop in October of 2025, which is available at https://www.youtube.com/watch?v=PekeGxGlc3Q .

On October 22 2025, the Security Team held a public meeting, for which the notes are available at OCaml public security meeting - HedgeDoc .

Advisories

A potential clickjacking issue with ocurrent’s web interface was reported to the Security Team by Kunal Mhaske was fixed by Mark Elvers in Add Content-Security-Policy and X-Frame-Options by mtelvers · Pull Request #465 · ocurrent/ocurrent · GitHub .

No other communications with the security team have resulted in publicly available remediation information or advisories.

Future Plans

The Security Team has received a lot of interest in the advisory database mentioned above, and this work is a high priority for the team.

The Security Team also hopes to publish security guides for OCaml programmers and project maintainers.

The OCaml Software Foundation has indicated that some funding may be available for projects that make OCaml more secure. The Security Team is actively developing a process for soliciting and evaluating proposals, as discussed in the October public meeting.

Acknowledgements

The Security Team is an initiative of the OCaml Software Foundation and is grateful to the OCSF and its sponsors for their support.