Process for Security Fixes¶
Security vulnerabilities should be reported via an email to email@example.com, which is a private mailing list.
DO NOT report them via this redmine because the redmine publishes the reported problems immediately.
The security team discusses about and fixes the vulnerability as soon as possible.
- Releases a new patch-level release of Ruby, or publishes a patch.
- Sends an email to ruby-talk and ruby-list.
- Posts an article to the news page on www.ruby-lang.org.
- Adds a link to the article into the security page on www.ruby-lang.org.
The security team consists of some of committers and other security specialists.
Release managers and distributors, who creates and distributes package of Ruby - e.g. a package manager of Ruby in some Linux distribution, should subscribe firstname.lastname@example.org.