[{"id":3771868,"new_policy":"Rails is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\n## General eligibility\n\nThe scope of the Rails project's HackerOne program is limited to the source code under https://github.com/rails. Please take a look at [our scope page](https://hackerone.com/rails/policy_scopes).\n\n### Out of scope\n\nSome types of issues are out of scope, and may be closed as N/A if a report is opened:\n\n- Regular expression denial of service attacks (ReDOS)\n  - Ruby 3.2's [Regexp.timeout](https://docs.ruby-lang.org/en/master/Regexp.html#method-c-timeout-3D) allows Rails to mitigate these types of attacks.\n- Obviously unsafe sanitizer configurations, such as allowing a default-disallowed tag and/or attribute that is documented to allow javascript\n  - Out-of-scope tags include (but are not limited to) `iframe`, `embed`, `frame`, `frameset`, and `form`.\n  - Out-of-scope attributes include (but are not limited to) `onload`, `animate`, `onfocus`, and `srcdoc`.\n  - Complex combinations of disallowed tags and attributes _may_ be eligible but will be evaluated on a case-by-case basis and will be closed if we deem the combination to be unlikely or obviously insecure.\n\nIn addition, HackerOne's [Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings) are out of scope and will be closed as N/A.\n\n## Bounty Qualification\n\nAs of March 27, 2026 the Internet Bug Bounty (IBB) is no longer accepting new submissions. This means that any vulnerabilities submitted from that date forward are not eligible for a bounty.\n\nYou can learn more about how to contribute to Ruby on Rails [here](https://guides.rubyonrails.org/contributing_to_ruby_on_rails.html#contributing-to-the-rails-code).\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-30T13:32:17.373Z"},{"id":3771867,"new_policy":"Rails is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\n## General eligibility\n\nThe scope of the Rails project's HackerOne program is limited to the source code under https://github.com/rails. Please take a look at [our scope page](https://hackerone.com/rails/policy_scopes).\n\n### Out of scope\n\nSome types of issues are out of scope, and may be closed as N/A if a report is opened:\n\n- Regular expression denial of service attacks (ReDOS)\n  - Ruby 3.2's [Regexp.timeout](https://docs.ruby-lang.org/en/master/Regexp.html#method-c-timeout-3D) allows Rails to mitigate these types of attacks.\n- Obviously unsafe sanitizer configurations, such as allowing a default-disallowed tag and/or attribute that is documented to allow javascript\n  - Out-of-scope tags include (but are not limited to) `iframe`, `embed`, `frame`, `frameset`, and `form`.\n  - Out-of-scope attributes include (but are not limited to) `onload`, `animate`, `onfocus`, and `srcdoc`.\n  - Complex combinations of disallowed tags and attributes _may_ be eligible but will be evaluated on a case-by-case basis and will be closed if we deem the combination to be unlikely or obviously insecure.\n\nIn addition, HackerOne's [Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings) are out of scope and will be closed as N/A.\n\n## Bounty Qualification\n\nAs of March 27, 2026 the Internet Bug Bounty (IBB) is no longer accepting new submissions. This means that any vulnerabilities that you report are not eligible for bounty as the Rails team has no way to pay these.\n\nYou can learn more about how to contribute to Ruby on Rails [here](https://guides.rubyonrails.org/contributing_to_ruby_on_rails.html#contributing-to-the-rails-code).\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-30T13:30:40.520Z"},{"id":3750423,"new_policy":"Rails is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\n## General eligibility\n\nThe scope of the Rails project's HackerOne program is limited to the source code under https://github.com/rails. Please take a look at [our scope page](https://hackerone.com/rails/policy_scopes).\n\n### Out of scope\n\nSome types of issues are out of scope, and may be closed as N/A if a report is opened:\n\n- Regular expression denial of service attacks (ReDOS)\n  - Ruby 3.2's [Regexp.timeout](https://docs.ruby-lang.org/en/master/Regexp.html#method-c-timeout-3D) allows Rails to mitigate these types of attacks.\n- Obviously unsafe sanitizer configurations, such as allowing a default-disallowed tag and/or attribute that is documented to allow javascript\n  - Out-of-scope tags include (but are not limited to) `iframe`, `embed`, `frame`, `frameset`, and `form`.\n  - Out-of-scope attributes include (but are not limited to) `onload`, `animate`, `onfocus`, and `srcdoc`.\n  - Complex combinations of disallowed tags and attributes _may_ be eligible but will be evaluated on a case-by-case basis and will be closed if we deem the combination to be unlikely or obviously insecure.\n\nIn addition, HackerOne's [Core Ineligible Findings](https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings) are out of scope and will be closed as N/A.\n\n## Bounty Qualification\n\nThe Internet Bug Bounty awards security research on Ruby on Rails. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to Ruby on Rails to continue to support the vulnerability remediation efforts.\n\nTo submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions **after the project maintainers have resolved the vulnerability.**\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.\n\n### $500 Bonus for a Valid Patch\n\nIf your report includes a correctly formatted patch for the issue you've uncovered, you may be eligible for a $500 bonus when the report is accepted and resolved.\n\nPlease note that your patch will also need to be considered an acceptable solution by the project maintainers.\n\nPatch eligibility requirements are as follows:\n- Patch file created with `git format-patch` or equivalent format.\n- Includes a solution for all relevant supported Rails versions. Details on supported versions available [here](https://guides.rubyonrails.org/maintenance_policy.html#security-issues).\n- Includes regression tests for the reported issue.\n- Patch is accepted and adopted by project maintainers\n\n\nPatches risk being ineligible if any of the stated requirements are not met.\n\n\nYou can learn more about how to contribute to Ruby on Rails [here](https://guides.rubyonrails.org/contributing_to_ruby_on_rails.html#contributing-to-the-rails-code).\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-02-18T18:13:13.926Z"},{"id":3741477,"new_policy":"Rails is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\nReDoS (Regular Expression Denial of Service) vulnerabilities are no longer eligible as Ruby 3.2+ provides protection via setting a global timeout. We welcome these to be reported on our public issue tracker on GitHub.\n\nBounty Qualification\n==========\nThe Internet Bug Bounty awards security research on Ruby on Rails. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to Ruby on Rails to continue to support the vulnerability remediation efforts.\n\nTo submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions **after the project maintainers have resolved the vulnerability.**\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.\n\n## $500 Bonus for a Valid Patch\n\nIf your report includes a correctly formatted patch for the issue you've uncovered, you may be eligible for a $500 bonus when the report is accepted and resolved.\n\nPlease note that your patch will also need to be considered an acceptable solution by the project maintainers.\n\nPatch eligibility requirements are as follows:\n- Patch file created with `git format-patch` or equivalent format.\n- Includes a solution for all relevant supported Rails versions. Details on supported versions available [here](https://guides.rubyonrails.org/maintenance_policy.html#security-issues).\n- Includes regression tests for the reported issue.\n- Patch is accepted and adopted by project maintainers\n\n\nPatches risk being ineligible if any of the stated requirements are not met.\n\n\nYou can learn more about how to contribute to Ruby on Rails [here](https://guides.rubyonrails.org/contributing_to_ruby_on_rails.html#contributing-to-the-rails-code).\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-10-08T20:52:49.155Z"},{"id":3668332,"new_policy":"Rails is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\nBounty Qualification\n==========\nThe Internet Bug Bounty awards security research on Ruby on Rails. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to Ruby on Rails to continue to support the vulnerability remediation efforts.\n\nTo submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions **after the project maintainers have resolved the vulnerability.**\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.\n\n## $500 Bonus for a Valid Patch\n\nIf your report includes a correctly formatted patch for the issue you've uncovered, you may be eligible for a $500 bonus when the report is accepted and resolved.\n\nPlease note that your patch will also need to be considered an acceptable solution by the project maintainers.\n\nPatch eligibility requirements are as follows:\n- Patch file created with `git format-patch` or equivalent format.\n- Includes a solution for all relevant supported Rails versions. Details on supported versions available [here](https://guides.rubyonrails.org/maintenance_policy.html#security-issues).\n- Includes regression tests for the reported issue.\n- Patch is accepted and adopted by project maintainers\n\n\nPatches risk being ineligible if any of the stated requirements are not met.\n\n\nYou can learn more about how to contribute to Ruby on Rails [here](https://guides.rubyonrails.org/contributing_to_ruby_on_rails.html#contributing-to-the-rails-code).\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2022-03-21T23:02:24.649Z"},{"id":3658672,"new_policy":"Rails is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\nBounty Qualification\n==========\nThe Internet Bug Bounty awards security research on Ruby on Rails. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to Ruby on Rails to continue to support the vulnerability remediation efforts.\n\nTo submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions **after the project maintainers have resolved the vulnerability.**\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-21T15:27:24.302Z"},{"id":3609278,"new_policy":"Rails is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\nBounty Qualification\n==========\nOnly vulnerabilities that demonstrate security impact to the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution**, **Universal SQL Injection**, or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not eligible for bounty at this time.\n\n| Impact |\n| ----- | \n| **Critical** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | \n| **High** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | \n| **Medium** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | \n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-10T21:46:58.377Z"},{"id":1647655,"new_policy":"Rails is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\nBounty Qualification\n==========\nOnly critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution**, **Universal SQL Injection**, or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The Panel will respect their decision, and we ask that you do as well.\n\nIt's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\nSubmission Process\n===========\n* Disclose a previously unknown security vulnerability directly to the project maintainers.\n* Follow the disclosure process established by the project maintainers.\n* Clearly demonstrate the security vulnerability. Respect the time of the project volunteers as they cannot invest significant effort into incomplete reports. Low-quality reports may be disqualified.\n* Once a public security advisory has been issued, please contact us at **panel@internetbugbounty.org**. You **must not** send us the details of the vulnerability until it has been validated, accepted, and publicly disclosed by the project maintainers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2015-07-06T18:23:55.282Z"}]