JRuby

Reporting Security Vulnerabilities

Please send an email to [email protected] when you think you have found a security vulnerability in JRuby or one of its associated libraries (such as the jruby-openssl gem). We will do our best to respond to you within 72 hours and work with you to fix and properly disclose the nature of the vulnerability. Please note that [email protected] is a private email address and email sent to it will not result in public disclosure.

Disclosure Procedure

The JRuby team will endeavor to follow these steps when handling reported vulnerabilities:

1. Work with the reporter to determine the appropriate fix within 24-72 hours of the initial email report.
2. Once the fix has been found, wait for an embargo period of 48 hours.
3. After the embargo has passed, push out a new software release containing the fix.
4. Send email announcement on jruby-user mailing list containing source patch for most recent release.
5. Post an announcement on jruby.org and list below.