There is now a dedicated Security Response Team (SRT) to handle vulnerability reports and coordinate security responses. If you discover a security issue in the OCaml compiler, runtime, standard library, or ecosystem tools, you can report it confidentially to the team.
- Report vulnerabilities: Email security@ocaml.org or use a private GitHub issue for high-impact vulnerabilities
- Security page: ocaml.org/security provides full details on reporting and the team
- Security advisories: The OCaml Security Advisory Database documents known issues in OCaml libraries and tools
- Announcements: Subscribe to the ocsf-ocaml-security-announcements mailing list for notifications of new advisories
The SRT follows responsible disclosure practices, working with reporters to validate issues, develop fixes, and coordinate public disclosure timelines. This effort also helps OCaml developers and companies comply with emerging security regulations like the EU Cyber Resilience Act.
For more information, see the announcement on Discuss.