Ruby
External Program
Submit bugs directly to this organization
Ruby
*This bounty program is for security issues in the Ruby programming language, neither websites (including .ruby-lang.org) nor third party applications nor processing Ruby code with RDoc. Please submit issues that are regarding the Ruby programming language. You may also submit website issues, but in principle, they are outside the scope of the bounty program.
The bundled gems are also outside the scope of the bounty program. You can see that list with bundled_gems and submit vulnerability report like https://github.com/ruby/[gem name]/security/advisories/new.
We appreciate your contributions. Please keep the following in mind:
Technical Accuracy: You are responsible for the accuracy of your report. We may close reports as Spam if they contain obvious contradictions that someone reporting the issue would not make.
Conciseness: Please keep your report brief and focused on technical facts. Instead of lengthy explanations, a simple Proof of Concept (PoC) is much more helpful. Avoid excessive language or overstating the severity of the issue.
Manual Review: We expect you to personally review and understand every claim in your report. Do not submit unverified content generated by automated tools or AI.
The Internet Bug Bounty awards security research on Ruby. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to Ruby to continue to support the vulnerability remediation efforts.
To submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions after the project maintainers have resolved the vulnerability.
The project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.