You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On the public mailing list ocsf-ocaml-security-announcements every security advisory will be published. Everyone can subscribe to that mailing list. It is only for security advisories, there won't be any discussion on the mailing list.
The OCaml security team replies with "we have received your mail, we'll be back within a week" within three working days; "do you want your identity being disclosed to the upstream author and/or general public?"
The OCaml security team figures out who (the responder) wants to take the issue within the security team.
The responder looks at the issue, and if it is valid, it contacts the upstream maintainer(s) of the package, and/or the opam maintainer(s) or author(s) as appropriate (the maintainer(s))
(4a.) The responder applies for a CVE number unless the reporter already has one.
(4b.) The responder figures out (with upstream authors) which versions are affected.
The reporter, responder, and maintainer discuss about the embargo — the usual period is 90 days (but publishing it earlier if there's a patch available is fine)
When the patch is available, discussion between reporter, maintainer(s), and responder whether this fixes the issue (the reporter may have some test environment and can confirm it).
Potentially a pre-announcement about which package and when the advisory and patch will be published for core opam packages and high impact vulnerabilities.
