At OCamlPro, we take the security of the OCaml ecosystem seriously. As part of our commitment to transparency and responsible vulnerability management, we adhere to the following guidelines in the discovery, reporting, and disclosure of vulnerabilities:
We document any vulnerabilities identified by our team in software, particularly Opam packages, with detailed technical information.
We promptly forward the identified vulnerabilities to the maintainers or manufacturers of the affected software or product.
We provide support to the maintainers in verifying and addressing the reported vulnerabilities, where feasible and appropriate. If the resolution of the vulnerability is confirmed, we will verify its mitigation where reasonable efforts allow.
We work with the maintainers to coordinate the responsible publication of vulnerabilities, ensuring that the information is accurate and actionable. We request acknowledgment of our role in identifying and supporting the resolution of the vulnerability.
If maintainers do not respond or refuse to address the vulnerability, we reserve the right to disclose the issue publicly no earlier than 45 days after the initial report. If maintainers are actively addressing the issue, we will delay public disclosure for 90 days from the initial report to allow sufficient time for resolution. These timeframes may be extended on a case-by-case basis upon review and agreement with the maintainers.
Any deviations from this procedure must be formally agreed upon in writing. If you identify a vulnerability in Opam packages or the OCaml ecosystem that is not yet listed, please report it to us via contact@ocamlpro.com. By working together, we can help ensure the safety and integrity of the tools relied upon by the OCaml community.