Security

Here you will find information about security issues of Ruby.

Reporting Security Vulnerabilities

Security vulnerabilities in the Ruby programming language should be reported through our bounty program page at HackerOne. Please ensure you read the specific details around the scope of our program before reporting an issue. Any valid reported problems will be published after fixes.

If you have found an issue affecting one of our websites, please report it via GitHub.

If you have found an issue that affects a specific Ruby gem, follow the instructions on RubyGems.org.

If you need to get in touch with the security team directly outside of HackerOne, you can send email to security@ruby-lang.org (the PGP public key), which is a private mailing list.

The members of the mailing list are people who provide Ruby (Ruby committers and authors of other Ruby implementations, distributors, PaaS platformers). The members must be individual people, mailing lists are not permitted.

Known issues

Here are recent issues:

More known issues: