{"id":31199945,"url":"https://github.com/ocaml/security-advisories","last_synced_at":"2025-09-20T10:48:24.951Z","repository":{"id":314107105,"uuid":"1013045220","full_name":"ocaml/security-advisories","owner":"ocaml","description":"Advisories from the OCaml Security team","archived":false,"fork":false,"pushed_at":"2025-09-10T13:52:18.000Z","size":1,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-09-10T17:55:43.915Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ocaml.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-07-03T09:20:26.000Z","updated_at":"2025-09-10T13:52:22.000Z","dependencies_parsed_at":"2025-09-10T17:55:45.180Z","dependency_job_id":"90d59853-f779-4ff8-8290-55ca6e711366","html_url":"https://github.com/ocaml/security-advisories","commit_stats":null,"previous_names":["ocaml/security-advisories"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/ocaml/security-advisories","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ocaml%2Fsecurity-advisories","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ocaml%2Fsecurity-advisories/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ocaml%2Fsecurity-advisories/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ocaml%2Fsecurity-advisories/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ocaml","download_url":"https://codeload.github.com/ocaml/security-advisories/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ocaml%2Fsecurity-advisories/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":276085242,"owners_count":25582513,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-20T02:00:10.207Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-09-20T10:48:23.237Z","updated_at":"2025-09-20T10:48:24.943Z","avatar_url":"https://github.com/ocaml.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# OCaml Security Advisory Database\n\nThe OCaml Security Advisory Database is a repository of security advisories filed against the OCaml compiler and OCaml packages published via [opam](https://opam.ocaml.org).\n\nThis database is still work in progress, please stay tuned for updates.\n\nIt is maintained by the [OCaml security team](https://ocaml.org/security).\n\n## Receiving Security Advisories\n\nOn the public [mailing list ocsf-ocaml-security-announcements](https://sympa.inria.fr/sympa/info/ocsf-ocaml-security-announcements) every security advisory will be published. Everyone can subscribe to that mailing list. It is only for security advisories, there won't be any discussion on the mailing list.\n\n## Reporting Vulnerabilities\n\n1. Someone (the *reporter*) reports a security issue to [security@ocaml.org](mailto:security@ocaml.org) or as a private GitHub issue in [ocaml/security-advisories](https://github.com/ocaml/security-advisories) repository.\n2. The *OCaml security team* replies with \"we have received your mail, we'll be back within a week\" within three working days; \"do you want your identity being disclosed to the upstream author and/or general public?\"\n3. The *OCaml security team* figures out who (the *responder*) wants to take the issue within the security team.\n4. The *responder* looks at the issue, and if it is valid, it contacts the *upstream maintainer(s)* of the package, and/or the *opam maintainer(s)* or *author(s)* as appropriate (the *maintainer(s)*)\n   - (4a.) The *responder* applies for a CVE number unless the *reporter* already has one.\n   - (4b.) The *responder* figures out (with upstream authors) which versions are affected.\n5. The *reporter*, *responder*, and *maintainer* discuss about the embargo \u0026mdash; the usual period is 90 days (but publishing it earlier if there's a patch available is fine)\n6. When the patch is available, discussion between *reporter*, *maintainer(s)*, and *responder* whether this fixes the issue (the *reporter* may have some test environment and can confirm it).\n7. Potentially a pre-announcement about which package and when the advisory and patch will be published for core opam packages and high impact vulnerabilities.\n8. The *responder* publishes the security advisory\n   - (8b.) The advisory is sent to the [mailing list for security announcements](https://sympa.inria.fr/sympa/info/ocsf-ocaml-security-announcements)\n   - (8c.) The *maintainer(s)* (or the *responder*) publishes the fixed opam package to opam.ocaml.org (and mark vulnerable packages unavailable)\n   - (8d.) The *responder* publishes the security announcement also on the [database](https://github.com/ocaml/security-advisories), which is an input source for [OSV](https://osv.dev)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Focaml%2Fsecurity-advisories","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Focaml%2Fsecurity-advisories","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Focaml%2Fsecurity-advisories/lists"}