The Haskell Security Response Team (SRT) is a volunteer organization within the Haskell Foundation that is building tools and processes to aid the entire Haskell ecosystem in assessing and responding to security risks. In particular, we maintain a database of security advisories that can serve as a data source for security tooling.
This report details the SRT activities for November–December 2024 (a two month period due to extension of the previous reporting period).
The SRT is:
- Fraser Tweedale
- Gautier Di Folco
- Lei Zhu
- Mihai Maruseac
- Montez Fitzpatrick
- Tristan de Cacqueray
How to contact the SRT
For assistance in coordinating a security response to newly discovered, high impact vulnerabilities, contact security-advisories@haskell.org. Due to limited resources, we can only coordinate embargoed disclosures for high impact vulnerabilities affecting current versions of core Haskell tools and libraries, or in other exceptional cases.
You can submit lower-impact or historical vulnerabilities to the advisory database via a pull request to our GitHub repository.
You can also contact the SRT about non-advisory/security-response topics. We prefer public communication where possible. In most cases, GitHub issues are an appropriate forum. But the mail address is there if no other appropriate channel exists.
Advisory database
A quiet quarter…
- 0 contemporary advisories were published during the reporting period.
- 0 historical advisories were added during the reporting period.
- 2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) remain reserved for embargoed vulnerabilities, which will be published later.
We ask community members to report any known security issues, including historical issues, that are not yet included in the database.
Documenting SRT processes
Fraser spent some time documenting the SRT’s internal processes, in particular: running a call for volunteers, member on/off-boarding, and the quarterly report. The content is in the docs/ subdirectory of the security-advisories repo.
Github Secure Open Source Fund
In November, GitHub announced their Secure Open Source Fund, which would initially offer USD 1.25M across 125 projects. Gautier shared this via a Haskell Discourse post in December, along with some project ideas. Applications closed in early January. The SRT did not apply for the first round, and we are not specifically aware of any other Haskell-flavoured applications.
The second round is scheduled for June and is accepting applications now (form). We encourage anyone who wants to apply to this program to work on Haskell ecosystem security to reach out to the SRT, so we can align and support the work.
The GitHub program raises the broader question of funding for Haskell security work—a topic the SRT will explore further in the coming months.
Cabal version bumping via Renovate
The SRT acknowledges Janus Troelsen’s work on Haskell support for Renovate, a dependency management tool that includes a bot for bumping versions. Basic support was recently merged, and work is ongoing.
Thank you Janus for tackling this critical gap in the Haskell security tooling!
Tooling updates
- Tristan added OSV schema validation to the CI checks (#254).
- Gautier made big improvements to the appearance of the HTML export of the advisory data. See the result at Haskell Security advisories.
- CVSS 4.0 support: no further progress on this objective during the period.
- There is an outstanding ask from the OSV.dev project to define feedback channels for our advisories, so that consumers downstream of OSV.dev know where/how to provide corrective feedback on individual records (#252).