Process for Security Fixes

Report

Security vulnerabilities should be reported via an email to security@ruby-lang.org, which is a private mailing list.

DO NOT report them via this redmine because the redmine publishes the reported problems immediately.

Fix

The security team discusses about and fixes the vulnerability as soon as possible.

Announcement

  • Releases a new patch-level release of Ruby, or publishes a patch.
  • Sends an email to ruby-talk and ruby-list.
  • Posts an article to the news page on www.ruby-lang.org.

Security Team

The security team consists of some of committers and other security specialists.

Release managers and distributors, who creates and distributes package of Ruby - e.g. a package manager of Ruby in some Linux distribution, should subscribe security@ruby-lang.org.