IntersectMBO · coot · May 14, 2026 · May 14, 2026 · May 14, 2026 · May 14, 2026
@@ -0,0 +1,4 @@
+# Note: later rules override earlier rules.
+
+# Default
+* @intersectmbo/ouroboros-network-maintainers
@@ -8,7 +8,7 @@ update` after cloning the repository.
 We designed `io-classes` to be as close as possible to what `base` package
 provides.  Almost all `IO` instances instantiate with API provided by one of
 the core packages, see
-[example](https://github.com/input-output-hk/io-sim/blob/main/io-classes/src/Control/Monad/Class/MonadSTM.hs?plain=1#L410-L446).
+[example](https://github.com/intersectmbo/io-sim/blob/main/io-classes/src/Control/Monad/Class/MonadSTM.hs?plain=1#L410-L446).
 Please keep this in mind when adding new functionality.
 
 # Roles and Responsibilities
@@ -55,7 +55,7 @@ package ouroboros-network-testing
 # Code Style
 
 Please follow the local style.  For a more detailed style guide see
-[link](https://github.com/input-output-hk/ouroboros-network/blob/master/docs/StyleGuide.md).
+[link](https://github.com/intersectmbo/ouroboros-network/blob/master/docs/StyleGuide.md).
 
 # Pull Requests
 
@@ -84,7 +84,7 @@ quite simple.
 ## Code Style
 
 Please follow the local style.  For a more detailed style guide see
-[link](https://github.com/input-output-hk/ouroboros-network/blob/master/docs/StyleGuide.md).
+[link](https://github.com/intersectmbo/ouroboros-network/blob/master/docs/StyleGuide.md).
 
 ## MonadSTM features
 
@@ -119,8 +119,8 @@ lazier than `IO` monad.  Thus if you want to use `Debug.Trace.traceM` inside
 
 
 
-[CHaP]: https://github.com/input-output-hk/cardano-haskell-packages/
+[CHaP]: https://github.com/intersectmbo/cardano-haskell-packages/
 [gh-link-issue]: https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue
 [gh-signing-commits]: https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits
-[ci]: https://github.com/input-output-hk/io-sim/actions
+[ci]: https://github.com/intersectmbo/io-sim/actions
 
@@ -1,4 +1,4 @@
-Copyright 2019-2024 Input Output Global Inc (IOG)
+Copyright 2019-2026 Input Output Global Inc (IOG), 2026 Intersect
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

@@ -1,6 +1,6 @@
-[![Haskell CI](https://img.shields.io/github/actions/workflow/status/input-output-hk/io-sim/haskell.yml?branch=main&label=Build&style=for-the-badge)](https://github.com/input-output-hk/io-sim/actions/workflows/haskell.yml)
-[![handbook](https://img.shields.io/badge/policy-Cardano%20Engineering%20Handbook-informational?style=for-the-badge)](https://input-output-hk.github.io/cardano-engineering-handbook)
-[![Haddocks](https://img.shields.io/badge/documentation-Haddocks-pink?style=for-the-badge)](https://input-output-hk.github.io/io-sim)
+[![Haskell CI](https://img.shields.io/github/actions/workflow/status/intersectmbo/io-sim/haskell.yml?branch=main&label=Build&style=for-the-badge)](https://github.com/intersectmbo/io-sim/actions/workflows/haskell.yml)
+[![handbook](https://img.shields.io/badge/policy-Cardano%20Engineering%20Handbook-informational?style=for-the-badge)](https://intersectmbo.github.io/cardano-engineering-handbook)
+[![Haddocks](https://img.shields.io/badge/documentation-Haddocks-pink?style=for-the-badge)](https://intersectmbo.github.io/io-sim)
 
 # [`io-sim`]
 
@@ -75,10 +75,10 @@ New issues should be reported in [this][io-sim-issues] repository.
 [`io-sim`]: https://hackage.haskell.org/package/io-sim
 
 [contra-tracer]: https://hackage.haskell.org/package/contra-tracer
-[io-sim-issues]: https://github.com/input-output-hk/io-sim/issues
+[io-sim-issues]: https://github.com/intersectmbo/io-sim/issues
 [io-sim-por-how-to]: ./io-sim/how-to-use-IOSimPOR.md
-[io-sim-por]: https://github.com/input-output-hk/io-sim/blob/main/io-sim/how-to-use-IOSimPOR.md
-[ouroboros-network]: https://github.com/input-output-hk/ouroboros-network
+[io-sim-por]: https://github.com/intersectmbo/io-sim/blob/main/io-sim/how-to-use-IOSimPOR.md
+[ouroboros-network]: https://github.com/intersectmbo/ouroboros-network
 
 [`IOSim`]: https://hackage.haskell.org/package/io-sim/docs/Control-Monad-IOSim.html#t:IOSim
 

@@ -1,19 +1,106 @@
-# Security Policy
+# Security Vulnerability Disclosure Policy
 
-## Reporting a Vulnerability
+## Introduction
 
-Please report (suspected) security vulnerabilities to security@intersectmbo.org. You will receive a
-response from us within 48 hours. If the issue is confirmed, we will release a patch as soon
-as possible.
+The Cardano open source project `io-sim` is committed to ensuring the security
+of its software and the privacy of its users. We value the contributions of the
+security community in helping us identify and address vulnerabilities in our
+code. This Security Vulnerability Disclosure Policy outlines how security
+vulnerabilities should be reported and how we will respond to and remediate
+such reports.
 
-Please provide a clear and concise description of the vulnerability, including:
+## Security Vulnerability Handling Process
 
-* the affected version(s) of all packages included in ouroboros-network repository,
-* steps that can be followed to exercise the vulnerability,
-* any workarounds or mitigations
+### Reporting a Vulnerability
 
-If you have developed any code or utilities that can help demonstrate the suspected
-vulnerability, please mention them in your email but ***DO NOT*** attempt to include them as
-attachments as this may cause your Email to be blocked by spam filters.
-See the security file in the [Cardano engineering handbook](https://github.com/input-output-hk/cardano-engineering-handbook/blob/main/SECURITY.md).
+If you discover a security vulnerability in xxxx, we encourage you to
+responsibly disclose it to us. To report a vulnerability, please use
+the [private reporting form on
+GitHub](https://github.com/tbc)
+to draft a new _Security advisory_.
 
+Please include as much details as needed to clearly qualify the issue:
+
+- A description of the vulnerability and its potential impact.
+- Steps to reproduce the vulnerability.
+- The version of `xxxx` package where the vulnerability exists.
+- Any relevant proof-of-concept or exploit code (if applicable).
+
+### Processing Vulnerability
+
+1. **Acknowledgment**: The team acknowledges the receipt of your report
+   within 3 business days by commenting on the issue reporting it or replying to email.
+
+2. **Validation**: The team investigates the issue and either _reject_ or _validate_ the
+   reported vulnerability.
+
+   a. **Rejection**: If the team rejects the report, detailed explanations will be provided by email or commenting on the relevant issue and the latter will be made public and closed as `Won't fix`.
+
+   b. **Acceptance**: If the team accepts the report, a CVE identifier will be requested through GitHub and a [private fork](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/collaborating-in-a-temporary-private-fork-to-resolve-a-repository-security-vulnerability) opened to work on a fix to the issue
+
+3. **Resolution**: The team works to resolve the vulnerability in a
+   timely manner. The timeline for resolution will depend on the
+   complexity and severity of the vulnerability, but we will strive to
+   address critical vulnerabilities as quickly as possible.
+
+4. **Collaboration**: While working on a fix, the team maintains open and transparent
+   communication with the reporter throughout the process, providing
+   updates on the status of the vulnerability and any steps taken to
+   remediate it. In particular this means that the reporter will be asked to review any proposed fix and to advise on the timing for public disclosure.
+
+5. **Fixing Issue**: The team agrees on the fix, the announcement, and the release schedule with the reporter. If the reporter is not responsive in a reasonable time frame this should not block the team from moving to the next steps particularly in the face of a high impact or high severity issue.
+
+   a. **Mitigation**: Depending on the severity and criticity of the issue, the team can decide to disclose the issue publicly in the absence of a fix _if and only if_ a clear, simple, and effective mitigation plan is defined. This _must_ include instructions for users and operators of the software, and a time horizon at which the issue will be properly fixed (eg. version number).
+
+   b. **Fix**: When a fix is available and approved, it should be merged and made available as quickly as possible:
+
+   - All commits to the private repository are squashed into a single commit whose description _should not_ make any reference it relates to a security vulnerability
+   - A new Pull Request is created with this single commit
+   - This PR's review and merging is expedited as all the work as already been done
+
+6. **Release**: The team creates and publish a release that includes the fix
+
+7. **Announcement**: Concomitant to the release announcement, the team announces the security vulnerability by making the GitHub issue public. This is the first point that any information regarding the vulnerability is made public.
+
+   a. **Credit**: The team publicly acknowledges the contributions of the
+   reporter once the vulnerability is resolved, subject to the
+   reporter's preferences for attribution.
+
+8. **Disagreements**: In case of disagreements with the reporter on the fix, mitigation, timing, or announcement, the team has the final say.
+
+## Responsible Disclosure
+
+We kindly request that reporters adhere to responsible disclosure
+practices, which include:
+
+- **Do not disclose the vulnerability publicly**: Please refrain from
+  posting details of the vulnerability on public forums or social
+  media until it has been resolved.
+- **Do not exploit the vulnerability**: Do not attempt to exploit the
+  vulnerability to cause harm or gain unauthorized access to systems.
+- **Work with us**: Allow us a reasonable amount of time to
+  investigate and address the vulnerability before publicly disclosing
+  any details.
+
+## Legal Protections
+
+We will not pursue legal action against individuals who
+report security vulnerabilities to us.
+
+## Contact Information
+
+To report a security vulnerability, please use [GitHub
+form]((add project github form for your project)). Should you experience any issues reporting via GitHub or have other questions, Please contact [Security](security@intersectmbo.org).
+
+## Revision of Policy
+
+This Security Vulnerability Disclosure Policy may be updated or
+revised as necessary. Please check the latest version of this policy
+on the [io-sim](https://github.com/IntersectMBO/io-sim).
+
+## Conclusion
+
+The io-sim project greatly appreciates the assistance of the security community
+in helping us maintain the security of our software while upholding the highest
+standards of privacy. Together, we can work to identify and address
+vulnerabilities, ensuring a safer and more secure experience for all users.
@@ -6,6 +6,8 @@
 
 ### Non-breaking changes
 
+* Repository moved to https://github.com/IntersectMBO/io-sim
+
 ## 1.10.1.0
 
 ### Non-breaking changes

@@ -1,4 +1,4 @@
-Copyright 2019-2024 Input Output Global Inc (IOG)
+Copyright 2019-2026 Input Output Global Inc (IOG), 2026 Intersect
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

@@ -12,19 +12,19 @@ constraints in mind:
 
 We provide also non-standard extensions of this API in **sublibraries**:
 
-* [`io-classes:strict-stm`](https://input-output-hk.github.io/io-sim/io-classes/strict-stm/index.html) strict `TVar`'s, and other mutable `STM` variables, with
+* [`io-classes:strict-stm`](https://intersectmbo.github.io/io-sim/io-classes/strict-stm/index.html) strict `TVar`'s, and other mutable `STM` variables, with
   support of the [`nothunks`] library;
-* [`io-classes:strict-mvar`](https://input-output-hk.github.io/io-sim/io-classes/strict-mvar/index.html): strict `MVar`s
-* [`io-classes:si-timers`](https://input-output-hk.github.io/io-sim/io-classes/si-timers/index.html): timers api:
+* [`io-classes:strict-mvar`](https://intersectmbo.github.io/io-sim/io-classes/strict-mvar/index.html): strict `MVar`s
+* [`io-classes:si-timers`](https://intersectmbo.github.io/io-sim/io-classes/si-timers/index.html): timers api:
 
     - 32-bit safe API using `DiffTime` measured in seconds (rather than time in
       microseconds represented as `Int` as in `base`)
     - cancellable timeouts.
 
-* [`io-classes:mtl`](https://input-output-hk.github.io/io-sim/io-classes/mtl/index.html):
+* [`io-classes:mtl`](https://intersectmbo.github.io/io-sim/io-classes/mtl/index.html):
   MTL instances.
 
-[`io-classes:strict-stm`](https://input-output-hk.github.io/io-sim/io-classes/strict-stm/index.html)
+[`io-classes:strict-stm`](https://intersectmbo.github.io/io-sim/io-classes/strict-stm/index.html)
 and [`nothunks`] were successfully used in a large
 code base to eliminate space leaks and keep that property over long development
 cycles.
@@ -80,7 +80,7 @@ delays & timers.
 ## Software Transactional Memory API
 
 We provide two interfaces to `stm` API: lazy, included in [`io-classes`][lazy-stm]; and
-strict one provided by [`io-classes:strict-stm`](https://input-output-hk.github.io/io-sim/io-classes/strict-stm/index.html).
+strict one provided by [`io-classes:strict-stm`](https://intersectmbo.github.io/io-sim/io-classes/strict-stm/index.html).
 
 ## Threads API
 
@@ -164,27 +164,27 @@ only possible because we can control the execution environment of [`io-sim`].
 [`base`]: https://hackage.haskell.org/package/base
 [`exceptions`]: https://hackage.haskell.org/package/exceptions
 [`io-sim`]: https://hackage.haskell.org/package/io-sim
-[io-classes:strict-mvar]: https://input-output-hk.github.io/io-sim/io-classes/strict-mvar/index.html
-[io-classes:mtl]: https://input-output-hk.github.io/io-sim/io-classes/mtl/index.html
+[io-classes:strict-mvar]: https://intersectmbo.github.io/io-sim/io-classes/strict-mvar/index.html
+[io-classes:mtl]: https://intersectmbo.github.io/io-sim/io-classes/mtl/index.html
 [`stm`]: https://hackage.haskell.org/package/stm
-[lazy-stm]: https://input-output-hk.github.io/io-sim/io-classes/Control-Concurrent-Class-MonadSTM.html
+[lazy-stm]: https://intersectmbo.github.io/io-sim/io-classes/Control-Concurrent-Class-MonadSTM.html
 [`threadDelay`]: https://hackage.haskell.org/package/io-classes/docs/Control-Monad-Class-MonadTimer.html#v:threadDelay
 [`time`]: https://hackage.haskell.org/package/time
-[contributing]: https://www.github.com/input-output-hk/io-sim/tree/master/CONTRIBUTING.md
+[contributing]: https://www.github.com/intersectmbo/io-sim/tree/master/CONTRIBUTING.md
 [`nothunks`]: https://hackage.haskell.org/package/nothunks
 [labelThread-base]: https://hackage.haskell.org/package/base-4.17.0.0/docs/GHC-Conc-Sync.html#v:labelThread
 [io-deadlock]: https://hackage.haskell.org/package/base-4.19.0.0/docs/Control-Exception.html#t:Deadlock
 
-[MonadEventlog]: https://input-output-hk.github.io/io-sim/io-classes/Control-Monad-Class-MonadEventlog.html#t:MonadEventlog
+[MonadEventlog]: https://intersectmbo.github.io/io-sim/io-classes/Control-Monad-Class-MonadEventlog.html#t:MonadEventlog
 [Debug.Trace]: https://hackage.haskell.org/package/base/docs/Debug-Trace.html
-[MonadAsync]: https://input-output-hk.github.io/io-sim/io-classes/Control-Monad-Class-MonadAsync.html#t:MonadAsync
-[MonadFork]: https://input-output-hk.github.io/io-sim/io-classes/Control-Monad-Class-MonadFork.html#t:MonadFork
-[MonadMVar]: https://input-output-hk.github.io/io-sim/io-classes/Control-Concurrent-Class-MonadMVar.html#t:MonadMVar
-[`registerDelayCancellable`]: http://input-output-hk.github.io/io-sim/io-classes/si-timers/Control-Monad-Class-MonadTimer-SI.html#v:registerDelayCancellable
-[strict-mvar]: https://input-output-hk.github.io/io-sim/io-classes/strict-mvar/Control-Concurrent-Class-MonadMVar-Strict.html
-[MonadST]: https://input-output-hk.github.io/io-sim/io-classes/Control-Monad-Class-MonadST.html#t:MonadST
-[MonadSay]: https://input-output-hk.github.io/io-sim/io-classes/Control-Monad-Class-MonadSay.html#t:MonadSay
-[io-classes-haddocks]: https://input-output-hk.github.io/io-sim
+[MonadAsync]: https://intersectmbo.github.io/io-sim/io-classes/Control-Monad-Class-MonadAsync.html#t:MonadAsync
+[MonadFork]: https://intersectmbo.github.io/io-sim/io-classes/Control-Monad-Class-MonadFork.html#t:MonadFork
+[MonadMVar]: https://intersectmbo.github.io/io-sim/io-classes/Control-Concurrent-Class-MonadMVar.html#t:MonadMVar
+[`registerDelayCancellable`]: http://intersectmbo.github.io/io-sim/io-classes/si-timers/Control-Monad-Class-MonadTimer-SI.html#v:registerDelayCancellable
+[strict-mvar]: https://intersectmbo.github.io/io-sim/io-classes/strict-mvar/Control-Concurrent-Class-MonadMVar-Strict.html
+[MonadST]: https://intersectmbo.github.io/io-sim/io-classes/Control-Monad-Class-MonadST.html#t:MonadST
+[MonadSay]: https://intersectmbo.github.io/io-sim/io-classes/Control-Monad-Class-MonadSay.html#t:MonadSay
+[io-classes-haddocks]: https://intersectmbo.github.io/io-sim
 
 [bob-conf]: https://youtu.be/uedUGeWN4ZM
 [zuriHac-2022]: https://youtu.be/tKIYQgJnGkA
@@ -27,22 +27,22 @@ description:
 
   = Documentation
   Haddocks of all public sublibraries are published
-  [here](https://input-output-hk.github.io/io-sim).
+  [here](https://intersectmbo.github.io/io-sim).
 
 license:             Apache-2.0
 license-files:       LICENSE NOTICE
-copyright:           2019-2025 Input Output Global Inc (IOG)
+copyright:           2019-2026 Input Output Global Inc (IOG), 2026 Intersect
 author:              Alexander Vieth, Duncan Coutts, Marcin Szamotulski, Neil Davies, Thomas Winant
 maintainer:          Duncan Coutts duncan@well-typed.com, Marcin Szamotulski coot@coot.me
 category:            Control
 build-type:          Simple
 extra-doc-files:     CHANGELOG.md README.md strict-stm/README.md strict-mvar/README.md
-bug-reports:         https://github.com/input-output-hk/io-sim/issues
+bug-reports:         https://github.com/intersectmbo/io-sim/issues
 tested-with:         GHC == { 9.6, 9.8, 9.10, 9.12, 9.14 }
 
 source-repository head
   type:     git
-  location: https://github.com/input-output-hk/io-sim
+  location: https://github.com/intersectmbo/io-sim
   subdir:   io-classes
 
 flag asserts

@@ -4,4 +4,4 @@ The `io-classes:strict-mvar` package provides a strict interface to mutable
 variables (`MVar`). It builds on top of `io-classes:io-classes`, and thus it
 provides the interface for `MVar`s implementations from both
 [base](https://hackage.haskell.org/package/base-4.17.0.0/docs/Control-Concurrent-MVar.html)
-and [io-sim](https://github.com/input-output-hk/io-sim).
+and [io-sim](https://github.com/intersectmbo/io-sim).
@@ -11,7 +11,7 @@ which might lurk in `stm` shared mutable variables.  Together with the
 [`nothunks`] library it was successfully used to eliminate and keep a large
 system ([`cardano-node`]) space leak free.
 
-[`cardano-node`]: https://www.github.com/input-output-hk/cardano-node
+[`cardano-node`]: https://www.github.com/intersectmbo/cardano-node
 [`io-classes:io-classes`]: https://hackage.haskell.org/package/io-classes
 [`io-sim`]: https://hackage.haskell.org/package/io-sim
 [`nothunks`]: https://hackage.haskell.org/package/nothunks

@@ -1,5 +1,13 @@
 # Revision history of io-sim
 
+## next version
+
+### Breaking changes
+
+### Non-breaking changes
+
+* Repository moved to https://github.com/IntersectMBO/io-sim
+
 ## 1.10.1.0
 
 ### Non-breaking changes

@@ -1,4 +1,4 @@
-Copyright 2019-2024 Input Output Global Inc (IOG)
+Copyright 2019-2026 Input Output Global Inc (IOG), 2026 Intersect
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.