Reporting security issues
We care deeply about providing a secure Ruby environment for running your code.
If you find a security issue, please send an email to [email protected]. In
order to keep your message safe, you can use our public key to send the report
to us.
The public key can be found in the Rubinius repository under security.pub in
the top level directory, on the website at http://rubini.us/security.pub, and
in the MIT PGP database at:
http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x0F7D2F9537F9880C.
We will do our best to respond to you within 72 hours and will work with you
to create a fix for the issue. Sending an email to [email protected] will not
result in a public disclosure. We will work with you for on a public disclosure
after we have a fix ready.
For security issues for extensions that are copies from CRuby, please report
them there directly. The instructions can be found at http://www.ruby-lang.org/en/security/.
We track those issues as well and are informed by their security team. This
makes sure Rubinius also gets updated with these security fixes.