From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Authentication-Results: plum.tunbury.org; dkim=pass (1024-bit key; unprotected) header.d=inria.fr header.i=@inria.fr header.a=rsa-sha256 header.s=dc header.b=P9jqWlLR; dkim-atps=neutral Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=192.134.164.83; helo=mail2-relais-roc.national.inria.fr; envelope-from=caml-list-owner@inria.fr; receiver=tunbury.org Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) by plum.tunbury.org (Postfix) with ESMTP id 93641400A3 for ; Mon, 12 Jan 2026 11:20:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=inria.fr; s=dc; h=message-id:date:mime-version:to:from: content-transfer-encoding:subject:reply-to:sender:list-id: list-help:list-subscribe:list-unsubscribe:list-post: list-owner:list-archive; bh=H3AbTfJTKNCFrV9imZMMEFIldgF1fQPAZ77dzhu3FVw=; b=P9jqWlLRtUu9w059XFj9a/aI99uRuvw7q7WZiFVJfsR5a4TeYaMZz398 nZw4OpP+lwes+GM3PifbE3lKf9k8Obs99TxtxmrevzFPRT1Cqc7+1mxpx rY2XAfmVgpT2ABeO7MzGeC0vNqH8x619vIP/IAIFQ+8e0Vv8Z02AMonx5 4=; X-CSE-ConnectionGUID: lRp/ljR4QE6EIXXlceJw9Q== X-CSE-MsgGUID: l0uyG4LES5GINWc/+5hivQ== Authentication-Results: mail2-relais-roc.national.inria.fr; dkim=none (message not signed) header.i=none; spf=SoftFail smtp.mailfrom=caml-list-owner@inria.fr; spf=None smtp.helo=postmaster@prod-sympa-app.inria.fr Received-SPF: SoftFail (mail2-relais-roc.national.inria.fr: domain of caml-list-owner@inria.fr is inclined to not designate 128.93.162.27 as permitted sender) identity=mailfrom; client-ip=128.93.162.27; receiver=mail2-relais-roc.national.inria.fr; envelope-from="caml-list-owner@inria.fr"; x-sender="caml-list-owner@inria.fr"; x-conformance=spf_only; x-record-type="v=spf1"; x-record-text="v=spf1 include:mailout.safebrands.com a:basic-mail.safebrands.com a:basic-mail01.safebrands.com a:basic-mail02.safebrands.com ip4:128.93.142.0/24 ip4:192.134.164.0/24 ip4:128.93.162.160 ip4:128.93.162.3 ip4:128.93.162.88 ip4:89.107.174.7 mx ~all" Received-SPF: None (mail2-relais-roc.national.inria.fr: no sender authenticity information available from domain of postmaster@prod-sympa-app.inria.fr) identity=helo; client-ip=128.93.162.27; receiver=mail2-relais-roc.national.inria.fr; envelope-from="caml-list-owner@inria.fr"; x-sender="postmaster@prod-sympa-app.inria.fr"; x-conformance=spf_only X-IronPort-AV: E=Sophos;i="6.21,219,1763420400"; d="scan'208";a="258111362" Received: from prod-sympa-app.inria.fr ([128.93.162.27]) by mail2-relais-roc.national.inria.fr with ESMTP; 12 Jan 2026 12:20:40 +0100 Received: by prod-sympa-app.inria.fr (Postfix, from userid 990) id C020F8293F; Mon, 12 Jan 2026 12:20:39 +0100 (CET) Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) by prod-sympa-app.inria.fr (Postfix) with ESMTP id A9D71828FD for ; Mon, 12 Jan 2026 12:20:33 +0100 (CET) X-CSE-ConnectionGUID: qhilf8HRS/CtsX7tqXw7zQ== X-CSE-MsgGUID: rV/3Sl0dTU+cI8BjJYc6UQ== IronPort-SDR: 6964d8f2_o4wJiua1R2vcSBMxc6DWay6qSgSqWYz3Jz5K54Y1HI4//fP YG2Cvz04i1i04iHFkMOefT9t9kt3C+gFGlGg/tg== X-ThreatScanner-Verdict: Negative X-IPAS-Result: =?us-ascii?q?A0FvCADM2GRp/8hZSdVagQmBUIIYKQeBAF8zBAtJA4QZP?= =?us-ascii?q?INPjASCIYQ+mV+BQBYFJA8BAwENSgcEAQEDAQIBggyPYwIeBwEEMQgOAQIEA?= =?us-ascii?q?QEBAQMCAwEBAQEBAQEBAQ0BAQUBAQECAQECBAYBAoEKE4ZPDYJbO1MeYQQDB?= =?us-ascii?q?gYBAQEBAQEBAQEBAQEBASIBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBAQEBAg0THRJOFw8BBQgBASwMGBwCJgJxAgEBEIJuAYIiA?= =?us-ascii?q?k8HDY8ym016gTKBAYIMAQEGgQg+BYEe2UCBZgmBHy6FboJlAYVvRIQ0Jxs/g?= =?us-ascii?q?U6BFSeEKoF4AQECGIUhgmmCJoEOilMGiUCBShwDWSwBVRMXCwcFXoEIA4EGb?= =?us-ascii?q?jIdgSM+FzJYGwcFgXmJAw+KcQIBC209NwkLGwQ9kAkZgXqBImQcECACOgo1J?= =?us-ascii?q?wkCDU0FEQ0tkloQFS2xaoEhhCaBZIo6lT8GEy+BS4I5gVeLPIZPkwWZBoJYi?= =?us-ascii?q?E6BeGuVJD6FVoFqAjlGgQMJBzMaCCgIO4JnCUYDGQ+PVQEHgkQQgS6DVboRQ?= =?us-ascii?q?jUOLgIHAQoBAQMJkh6BSwEB?= IronPort-PHdr: A9a23:fQDNxRZ5dXqr4YOPWWifqBD/LTGK2oqcDmcuAnoPtbtCf+yZ8oj4O wSHvLMx1wOPBd2Qsqsb0LOempujcFJDyK7JiGoFfp1IWk1NouQttCtkLei7TGbWF7rUVRE8B 9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUhrwOhBoKevrB4Xck9q41/yo+53Ufg5EmCexbal9I Ri4ogjdrNUajZdtJqos1xfEoHVFd/lLzm50OFyfmArx6ci38JN/6Spbpugv99RHUaX0fqQ4S aJXATE7OG0r58PlqAfOQxKX6nUTSmsZnQNEDhbK4h/nRpv+vTf0ueR72CmBIM35Vqs0Vii47 6dqUxDnliEKPCMk/W7Ni8xwiKVboA+9pxF63oXZbp2ZOOZ4c6jAe94RWGhPUdtLVyFZAY2yY YQAAOQfM+hYsofyu1QAoACiBQSvHu7j1iNEimH00KA8zu8vERvG3AslH98WsnrbttP1NKEMX uCu0aLGyivMb/NQ2Tjj8ojIbg0qrPaMXb1qd8rRz1cgFxjeg1WVt4PlPzWV2foXs2iH9eZgU vivi2E+pgx3vzOgydsihJPTiYIJ1lDL6z95wIAtKNCkVUJ1Yd+pHZ9Nuy2EKYd7X80vTWFmt Son1rEKpYC3cicXxZon2hPTd/KKfYeU7h/iVuucIzZ1iG9ldr+8iRi/91WrxOP7VsmxyllKr yxFn8HLtn8RzRPT78yHRuF6/ke71jaDzw/T6uBYIUA0iKrUMIQtzaI3lpoWqUjDHyn2mF/3j KCMbEkk9PKo5/zgYrX9uJ+QLZJ7hR/gMqg2lMy/HOI4PhEJX2eH4+u80bnj8VflT7VNi/06i rPZv47BJcsFvKG5GRNa0oY56xqlCDemytsYkWEHLVJCZRKHk5XpNErQL/ziEfi/hFGsnC92y P/cIr3uGI/BIWTEkLfmZbZw7VNXxgkrzd1H+Z5YF78MLOjxV0L/rtDVDRs0Pxaqz+r7FNlxz oATVX6VDqOEM67fs0WE6+EgLuWWa4IYuDDwIOU/6fH0l382g1odcLGp3ZQJbHC4GexrI0CDb nrthtcNC2IKsRQ+TOzsllKCSyJTa2y1X6Im6TE3EIOmDYHdSYCxmLGNwjq3E5NMam1EBF2AC 3TleoGeV/sSdC6ePtdtkjkeWrigT48h2wuutAj/y7d/Lurb4CsYtZT929hu/ODTkA899TxyD 8uDyWGNU3t4nmQSRz85xKx/u1Byyk+f0ahkhPxVDcBc6OlMUgc+LJLcy+16C8vuWg/aZdeIS FOmQs28Dj0rT9IxxcUOY0dnFNm4gBDDxTKmA7kOmLOTHpw77rrc32TtJ8Z603vKybEtj1Y4T ctINmOonLZy+QbcCYLRiUWWibiqe6cG0iPV8WeM12uOvEVCXA51T6rFXXYfaVXMrdTl/E/CS KWuCbs/PgRcys6CK65KZ8Xxg1tJSvjtJsjQbn63lWuoGBmIw6mDbJD2dGgFxCvTEVAKnQ8L8 XadLQg+CD+srXjCATJzCFzje1js8fFwqHyjTk870QWKb0p52rSt4xAbnfOSGLsv2ecPsSIl7 jF1B0qV3tTMCtPGqRAyUr9bZIYd6VFB2HmRkgF9OJG6M+g2hlcYdQlsl0bj1xN6EJkGltIl+ iB5hDFuIL6VhQsSPwiT2or9b+W/wgja+Rmub/STwVTCyJOM/axJ7v0kqlLltQXvF0w48nwh3 cMGm2CE6MDsCwwfGYn0Tl5x7wJz8rHTZC8w/KvR2H1qPLOo9DjY1IFhH/Mrny6pZMwXK6aYD En3GsweCdKpLbkqkl6vYwksOe1S8qMuI4WhbfTVkLWzMrNGmzSrxX9C/Jg70k+I8H9kTfXU2 p8e3/yC9g6OVjO6iVqhtM3thcZDfz568nOX7y/iCcYRY6RzedxOEmKyO4itwd44gZfxWnle/ VrlBlUc2cbvdwDAJ1r6lRZd00gauxnF0WOx0iB0njc1r6GewD2GwuLscwACM3JKQ28qhEnlI Iy9hdQXFEayaA1hmByg7Ef8j69VwcY3Z2naR0FFZADzImFkX7Gs8L2YbI8H6Z8ltzlWTPXpe UqTGfb2pxoX1T+mHnMLnmlgMW7x/MWo2UYi0DH4Tj47tnfSdMBuyA2K4dXdQaQUxT8aXGxij jKRAFGgPt6v9NHSlpHZs+n4WXjyM/8bOSTt046EszO2oGNwBhjq1fC6nNvqCiA/3C/92sN2E yLSo1yvB+ujn7T/Ku9hckRyURX84sx8F5pWl4YwgpwKxT4dnJrfrjIX1Gz0N9tcw6f3anEAE CUKz9Di6w/gwER/L3iNyuoVT12ly9B6L5m/a2ISgGcm6txSTb2T5/pClDd0pVyxqUTQZ+J8l 3ET06lm5HkfiuAP8A0jq0fVSrAbG09VJgTpmhSO4sqi6qJNay6jfKOx20x3gd26ROvb+UcDA zCpK9F4RXc45943KF/W1Xzv9ozoHbuYJckesBGZiVaIjuRYLo4wiutfgCNmPWznunh2g+U/j BFowdS7pN3dcj4ro/n/Uk8ebGWtNKZxsnn3gK1Tn9ibxdWqF5RlQHAQWYfwCOivG3QUvOjmM ACHFHs9rG2aEPzRB1z6ig8uonTRHpSsL3zSKmMeyIAoRBCbIkFEqAUZXDM3hIJ/ERqljp+EE g8x9nUK61j0pwEZgOJhMR/ySU/aqQeuZy0oDp+FI1AFphEH7EDTP8uE6+t1FCwN5ZytojuGL WmDbhhJB2UECSnmTxjze6Oj7t7a/62EF/KzerHQNK6Wp7UUBL+YgIii2Yx883OQO9WTazN8W uYj1BMLWGAceYyRkmcKQi0T0SKWdoiQoxL0vyRzqorXHO3DfgXp6MPPDrJTNY8q4BWqmeKZM OXWgi9lKDFe35dKxHnSybFZ0kRAwydpPyKgF7gNr0uvBOrZh7NXAhgHaihyKNoA7qQy2RNIM NLajdW936Bxj/o8AVNIHVL7ncThacsPKmC7fFTJYSTDfKyBPiHOytrrbLmUTLRRiKNRuh22t CyHVUj5MXXLljXkUQyuLfAZjCyfO0872sn1eRJsBG7/CdP+P0fia5ko1ntmkPtu3iuZUAxUe SJxeE5MsLCKuCZRg/ElXndE8mIgN+6P3SCQ8+jfLJ8S9/ptGCV90exAsxFYg/NY6j9JQPttl W7ctNlr9humm++JxyFPVRdOrDtRmMSMp0ooasC7vtFQHG3J+h4A9zDaExMRu95sEcHioYhVw 9nL0qf+KDFP6c6S+tETTZuxSorPID8qNhznHyTRBQ0OQGuwNG3RsEdalemb6nyfqpVSQnfEn ZcOTLJBSBoyDPxIUyyN+fQHLZdxUyk417mBg5xQjZJfhBzYRcEcu53HUP+IHbPoMjnL1dF5 IronPort-Data: A9a23:PuZzHK7OL+pHhmwHROxStwxRtCLDchMFZxGqfqrLsTDasY5as4F+v mEXDTuHPfuJNjb1e9p1a4S28EsAsZ/Qy4diHQA9rHtnZn8b8sCt6faxfh6hZXvKRiHgZBs6t JtGMoGowOQcFCK0SsKFa+C5xZVE/fjVAOe6UaicZ30ZqTZMEE8JkQhkl/MynrlmiN24BxLlk d7pqqUzAnf8s9JPGjxSsfvrRC9H5qyo5mtB5wZmPJingXeH/5UrJMJHTU2OByCgKmVkNrbSb /rOyri/4lTY838FYvu5kqz2e1E9WbXbOw6DkBJ+A8BOVTAfzsCa+v9T2Ms0MS+7uR3R9zxC4 IklWaiLdOscFvakdNLx/PVvO3oW0aVuoNcrKJUk2CCZ5xWun3DEm52CAKyqVGGxFyke7Wxmr JQlxD4xgh+rnuK3xLzratNXwe8/N/m0IJovpS5y9GSMZRomacirr6Ti4NZZ2HE1i8BIEOzCI c0DZlKDbjyaOkYJZQxRWMN4xr/w7pX8W2UwRFa9paMx5WXI5Al80L7gKsaTfcaFLSlQthzF9 jufpj6nWXn2MvSF933eyXb0itPy3ijaCKgQNoyzqMNT1Qj7Kms7U0FJDgHi/pFVkHWWUNtaL wkQ+zEyhbMj8VSiCNj7RRyx5nCe1iPwQPJVGuw+rgSAyqzZ+RrfAXILJtJcVDA4nNY2RDgkh n+zpJTCGSdf76GMeW3C5I7B+FteJhMpwX8+iT4sFFRbs4C4+tBt0HryosBf/LmdovCdJN0R/ 9xphHFv71nrpZRXv5hXBHie699sz7CQJuLP2i3ZX3i+8iRyb5O/aoqj5DDztKkefN/EEALd7 SRbxqByCdzi67nQzERhp81RTdmUCwqtaWW0baNHRcV8qGrFF4CLJ9kMiN2BGKuZGp1YJmSzO RC7VfJ5/5laMmbiYqJsboa1EM8qxKb8Xdr4W+qcb9xSb4J4dxOG4iwmY0OMzX/giksh2aQ1O f+mnTWEUx4n5GUO5GTeetrxJpdyn3plmD+KFcuqp/lluJLHDEOopX4+GAPmRogEAGms/205K v4OaJPY+AYVS+DkfCjc/KgaKF1AfzBxBon7p4YTPqSPKxZvUjNpQfLA46ITS6o8lYRsl8DM4 i6cXG1cwwHBnnHpE1iBRU1iT7LNZqxBi0wHExYiBnuW/kQyQJ2O6f4ffqQnfLN8++1Ey+V1f sY/eM6BI6puT23H8gsCcJPCkotocSq6iSnTISGgazkbVLxjTjzv5dXLUFbO9i4PLyzvruo4g eSq+T36SKo5ZTZJLZjpetew6WiurF4hmO5WdGnZEOl5IUnD3tBjFH3ss6URPcoJFyTm+hKb8 ASnWTEjuujHpt4Owunj3Kyrgd+gLLpjIxB8AWLe0LeRMBva9EqFxatrcr6BXRLZZVPO1JSSX 8dn5NCiD6Rfh3dPiZR2LJhzx6Fn59fPma5T/j45IFr1NWaUGpFSCVjY+/JQt5995K5T4iq3f UOtxuN0G5u0POHdLVpAAzZ9M8qi06kPlyjw/MYFBhzwxBVK8YqtVWRQOBixixJhEoZlDbN9w cocvJ851g/urDsrLdeMsQ5M/UuuMHErcvsqp7MaMqDRmyspzVBIXqLbACrI8Z2kNstHN0IrB hS2h6PyoatW6WSfUng0FFnLhfF8g7ZXsj907VYyHXa7sfubue0WhTp/qS8WSCZRxTV5i9NDA HBhbRBJFP/f7gVWi9hmdEHyPQN4XTmy2FH7knkNn03nF3iYbHTHdjABCLzc7XIi0jxuexZA9 +ul00fjazHhef/x0gYUWUJIr//CT8R7xjbdmfKITti0IJ0nXQXL2qOeR3IEix/CM/MDgEfqo epL/uEpTYbZMSUWgbMwCqjE9LA2ZS2HGld/QqBazPtUJV3fRTC84ijRCkaTfsgWGefG33XlA ONTJ+VOdS+E6gCwkh4hC5QxfoBExMwS2IJae5fAB3I3jL+Enz847LPS7nffgUEocfVPkOE8C J/jSDKfIFyy3V9Ryn7/vehfG2+CedJfThbN7OO01+QoFpw4r+Bnd38p4Ia0p3m4NAhG/Qqem QH+O5/t0O1pzLpzk7vWEqlsAxu+LfXxXr+q9D+fnstvb9SVF+vzrCIQ90faOjpJMYsrW9hYk aqHtPj11hjnuJc0S2XopImTJZJW5MmdXPtlDeyvFSN0xRC9Yc7L5wcP30uaKpYTydNU2ZSBd juCMcC1cYYYZsdZyHhrcBNhKhc6CZnsT6LetCi4/uWtCB8c7FT9F+mZ10TVNENVSixZHKfFK F7Ei677rJQQ5oFBHwQNCPxaEod1ag2rE7cvc9rq8yKUFC+0i1eFoaHvjgck9SqNMHSfDcLm+ tjQc3ASrvhpVH3gl7m1crCevyH7yF54iOg0OEcQ+9h7kSz8C3QJRQjY3VPqFbkM+hEeFrmhD N0OUIfmISDwXTJJawm6587sNutaLvJbIc/3f1TF4GvNAxpbx+q87H9J8ypg5XpsZn3k1u7Px RTyPJHvFkDZ/6yFjtr/KhB2bSmLCx8aKr81FZjBrvHP IronPort-HdrOrdr: A9a23:jZ6QEaDKM8xww/TlHem755DYdb4zR+YMi2TDpHoQdfUzSL39qy nOpoV/6faQslwssR4b9exoVJPwIk80lqQb3WByB9qftWDd0QPCEGgI1/qB/9SPIUzDH6Jmu5 tdTw== X-Talos-CUID: 9a23:4MZGCmA9tCBsRQ36EzBn9UoaSuAfSTr20GzgfFOhOXk2WoTAHA== X-Talos-MUID: 9a23:WazRTQYZkDDa8+BTrQGr3wpmbMtU3uelKRAnk7c3sJe5DHkl X-IronPort-Anti-Spam-Filtered: true X-IronPort-AV: E=Sophos;i="6.21,219,1763420400"; d="scan'208";a="258111263" X-MGA-submission: =?us-ascii?q?MDHwPAdL2//K8XeSiIXDC4+d0y7cfe6fmutId8?= =?us-ascii?q?Y0mWaJ+els4WYf1HA9P3MSy7tuKj4PbnZlwvcRZmUXvbFEGlPY1SUOgF?= =?us-ascii?q?gqYUopPOeO/t+1BIVNK597q0l6Z48yqJI6zHcKVLHgpvrrUXdvODzKrd?= =?us-ascii?q?O97mfeQZvDANHJjlsL8wNHkA=3D=3D?= Received: from mail.mehnert.org ([213.73.89.200]) by mail2-smtp-roc.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 12 Jan 2026 12:20:18 +0100 Received: from [192.168.138.133] (tmo-084-45.customers.d1-online.com [80.187.84.45]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "hannes@mehnert.org", Issuer "mehnert root CA" (not verified)) by mail.mehnert.org (Postfix) with ESMTPS id ADE6711A09 for ; Mon, 12 Jan 2026 12:20:17 +0100 (CET) Message-ID: <0fc4e64a-ef4c-461b-82e2-eea9784778b1@mehnert.org> Date: Mon, 12 Jan 2026 12:20:17 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: caml-list@inria.fr Content-Language: en-US From: Hannes Mehnert Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: [Caml-list] OCaml Security Team 2025 End-Of-Year Report Reply-To: Hannes Mehnert X-Loop: caml-list@inria.fr X-Sequence: 19425 Errors-To: caml-list-owner@inria.fr Precedence: list Precedence: bulk Sender: caml-list-request@inria.fr X-no-archive: yes List-Id: List-Help: , List-Subscribe: , List-Unsubscribe: , List-Post: List-Owner: List-Archive: Archived-At: Please discuss at https://discuss.ocaml.org/t/ocaml-security-team-2025-end-of-year-report/17689 In May of 2025, the OCaml Software Foundation encouraged the formation of an OCaml Security Team, which would handle issues and provide guidance for improving software security in the OCaml ecosystem. Throughout 2025, the team has been building structure and procedures to accomplish these goals. A regular public update on the team's activity is among many good ideas taken from the Haskell Security Response Team, and we hope the community will find this first public update useful. The team consists of: - Hannes Mehnert - @hannesm - individual, robur.coop - Mindy Preston - @yomimono - individual - Joe - @cfcs - individual - Edwin Török - @edwintorok - individual - Nicolás Ojeda Bär - @nojb - LexiFi - Louis Roché - @Khady - ahrefs - Boning Dong - Bloomberg Until December 2025: - Maxim Grankin - @maxim092001 - Bloomberg The newly created website [ocaml.org/security](https://ocaml.org/security) gives some guidelines for people finding security issues. # Contact and Disclosure Process The team established a procedure for reporting security issues as one of its first activities. The security disclosure process is available at https://github.com/ocaml/security-advisories?tab=readme-ov-file#reporting-vulnerabilities . The OCaml Security Team can also be contacted at security@ocaml.org for matters besides vulnerability disclosure. Mails to security@ocaml.org are not public. The public, announce-only mailing list https://sympa.inria.fr/sympa/info/ocsf-ocaml-security-announcements will broadcast information on security advisories. These procedures were [announced in July 2025](https://discuss.ocaml.org/t/ann-ocaml-security-team). # Vulnerability Database A public vulnerability database for OCaml software is another of the Security Team's goals. We indend to accomplish this by publishing information from the existing, but empty https://github.com/ocaml/security-advisories to the public [osv.dev](https://osv.dev) database (again borrowing a good idea from the Haskell SRT). Some work on a pipeline for publishing advisories there and backporting existing advisories is ongoing. # Tool development An OCaml library that supports the [package URL](https://github.com/package-url/purl-spec) "purl" was developed and released to the opam-repository (https://github.com/hannesm/purl, https://ocaml.org/p/purl/latest). In the process, we propose to make the policy for opam-repository more strict to have immutable packages (where the source is not modified): https://github.com/ocaml/opam-repository/pull/29072. We also propose to integrate opam into the package URL specification https://github.com/package-url/purl-spec/pull/763. The vulnerability database mentioned above hosts advisories in markdown (with some opam-file-format metadata header). We developed [tooling](https://github.com/hannesm/advisories) to convert these into json (following the json schema from osv.dev). We also made OCaml/opam known for the schema https://github.com/ossf/osv-schema/pull/473. # Public Meetings and Presentations On September 15, Hannes Mehnert gave an introduction to the OCaml Security Team at [FUN OCaml](https://fun-ocaml.com/) in Warsaw. Maxim Grankin gave a talk ["Towards a More Secure OCaml Ecosystem"](https://conf.researchr.org/details/icfp-splash-2025/ocaml-2025-papers/9/Toward-a-More-Secure-OCaml-Ecosystem) at the OCaml Users and Developers Workshop in October of 2025, which is available at https://www.youtube.com/watch?v=PekeGxGlc3Q . On October 22 2025, the Security Team held a public meeting, for which the notes are available at https://pad.data.coop/7-Ic5rG6ToynsW02hJsndg?both . # Advisories A potential clickjacking issue with ocurrent's web interface was reported to the Security Team by Kunal Mhaske was fixed by Mark Elvers in https://github.com/ocurrent/ocurrent/pull/465 . No other communications with the security team have resulted in publicly available remediation information or advisories. # Future Plans The Security Team has received a lot of interest in the advisory database mentioned above, and this work is a high priority for the team. The Security Team also hopes to publish security guides for OCaml programmers and project maintainers. The OCaml Software Foundation has indicated that some funding may be available for projects that make OCaml more secure. The Security Team is actively developing a process for soliciting and evaluating proposals, as discussed in the October public meeting. # Acknowledgements The Security Team is an initiative of the OCaml Software Foundation and is grateful to the OCSF and its sponsors for their support.