8f7808d636a470c667dc89e10835f4a697fe9d7b default
rails

Ruby on Rails

Web development that doesn't hurt.

  • $1,500
    Minimum bounty
  • 0
    Hackers thanked
  • 0
    Bugs closed

Rails is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.

Bounty Qualification

Only critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically Arbitrary Code Execution, Universal SQL Injection, or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.

The project maintainers have final decision on which issues constitute security vulnerabilities. The Panel will respect their decision, and we ask that you do as well.

It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.

Submission Process

  • Disclose a previously unknown security vulnerability directly to the project maintainers.
  • Follow the disclosure process established by the project maintainers.
  • Clearly demonstrate the security vulnerability. Respect the time of the project volunteers as they cannot invest significant effort into incomplete reports. Low-quality reports may be disqualified.
  • Finding the vulnerability is only half the battle, so we'll award a matching bounty for an accepted patch. We encourage you to fully investigate the issue, adhere to the project's code quality standards, and submit a patch. Otherwise, we'll donate the additional bounty to a non-profit chosen by the project maintainers.
  • Once a public security advisory has been issued, please contact us at ibb-panel@hackerone.com. You must not send us the details of the vulnerability until it has been validated, accepted, and publicly disclosed by the project maintainers.
Now
Ruby on Rails has started using HackerOne.
5 months ago