Process for Security Fixes


Security vulnerabilities should be reported via an email to, which is a private mailing list.

DO NOT report them via this redmine because the redmine publishes the reported problems immediately.


The security team discusses about and fixes the vulnerability as soon as possible.


  • Releases a new patch-level release of Ruby, or publishes a patch.
  • Sends an email to ruby-talk and ruby-list.
  • Posts an article to the news page on

Security Team

The security team consists of some of committers and other security specialists.

Release managers and distributors, who creates and distributes package of Ruby - e.g. a package manager of Ruby in some Linux distribution, should subscribe