www.ruby-lang.org

In short, I think: http://www.ruby-lang.org/en/security/ should do more to emulate: http://jruby.org/security Namely, we don't have a "Disclosure Procedure" section: > Disclosure Procedure > > The JRuby team will endeavor to follow these steps when handling reported vulnerabilities: > > 1. Work with the reporter to determine the appropriate fix within 24-72 hours of the initial email report. > 2. Once the fix has been found, wait for an embargo period of 48 hours. > 3. After the embargo has passed, push out a new software release containing the fix. > 4. Send email announcement on jruby-user mailing list containing source patch for most recent release. > 5. Post an announcement on jruby.org and list below. Can we get something like this added?