The Haskell security advisory database documents known issues in Haskell libraries and open source tools. Anyone can report historical or low-impact issues via the public submission process.
High-impact vulnerabilities should be reported privately to security-advisories@haskell.org (we do not use PGP). Alternatively, high-impact vulnerabilities can be reported via the CERT/CC VINCE system. Use “Haskell Programming Language” as the vendor name.
The Security Response Team currently coordinates security response under embargo for high impact issues only. Factors that influence whether or not we will deal with an issue under embargo include:
For example, a high-severity vulnerability affecting the GHC toolchain or a popular library would likely warrant an embargo. If you are unsure, please contact the Security Response Team and we will help assess the impact.
The Haskell Security Response Team (SRT) coordinates security response for high-impact vulnerabilities, and maintains the advisory database and associated tooling.
The current members of the SRT are:
The SRT is an initiative of the Haskell Foundation pursuant to Tech Proposal #37.
The SRT publishes security guides for Haskell programmers and project maintainers. Guides will be added or updated over time.
The SRT reports quarterly on our completed and ongoing work, and future plans.