Security

Reporting security issues

The Haskell security advisory database documents known issues in Haskell libraries and open source tools. Anyone can report historical or low-impact issues via the public submission process.

High-impact vulnerabilities should be reported privately to security-advisories@haskell.org (we do not use PGP). Alternatively, high-impact vulnerabilities can be reported via the CERT/CC VINCE system. Use “Haskell Programming Language” as the vendor name.

The Security Response Team currently coordinates security response under embargo for high impact issues only. Factors that influence whether or not we will deal with an issue under embargo include:

• How severe is the vulnerability?
• How widely used is the library or tool in which the issue occurs?
• Does the issue also affect other ecosystems, or is there already a security response underway? (We will not break someone else’s embargo.)

For example, a high-severity vulnerability affecting the GHC toolchain or a popular library would likely warrant an embargo. If you are unsure, please contact the Security Response Team and we will help assess the impact.

Haskell Security Response Team

The Haskell Security Response Team (SRT) coordinates security response for high-impact vulnerabilities, and maintains the advisory database and associated tooling.

The SRT is currently composed of 5 active members:

• Casey Mattingly
• Fraser Tweedale
• Gautier Di Folco
• Mihai Maruseac
• Tristan de Cacqueray

The SRT is an initiative of the Haskell Foundation pursuant to Tech Proposal #37.

Security Guides

The SRT publishes security guides for Haskell programmers and project maintainers. Guides will be added or updated over time.

• How to secure GitHub repositories

SRT Reports

The SRT reports quarterly on our completed and ongoing work, and future plans.

• 2024 Q2
• 2024 Q1
• 2023 Q3 & Q4
• 2023 Q2