[{"id":3771853,"new_policy":"## Scope\n\n**This program is for security issues in the Ruby programming language.** Please note that the following are **outside the scope** of this program:\n* Websites (including *.ruby-lang.org)\n* Third-party applications\n* Processing Ruby code with RDoc\n\nWhile you may submit website issues, they are generally not eligible for formal security tracking under this program.\n\n### Bundled Gems\nThe bundled gems are also outside the scope of this program. You can see the list of bundled gems in [bundled_gems](https://github.com/ruby/ruby/blob/master/gems/bundled_gems). Please submit vulnerability reports for those gems directly to their respective repositories (e.g., `https://github.com/ruby/[gem name]/security/advisories/new`).\n\n## Submission Guidelines\n\nWe appreciate your contributions to making Ruby more secure. Please note that this is a **vulnerability disclosure program without monetary rewards (bounties)**. \n\nTo ensure your report is processed effectively, please keep the following guidelines in mind:\n\n* **Technical Accuracy:** You are responsible for the accuracy of your report. Reports containing obvious contradictions or automated spam will be closed.\n* **Conciseness:** Please keep your report brief and focused on technical facts. A simple, reproducible Proof of Concept (PoC) is much more helpful than lengthy explanations. Avoid overstating the severity of the issue.\n* **Manual Review:** We expect you to personally review and understand every claim in your report. **Do not submit unverified content generated by automated tools or AI.** Submissions that appear to be raw, unverified AI output will be disregarded.\n\n## Vulnerability Handling Process\n\nThe Ruby core team and security maintainers have the final decision on which issues constitute security vulnerabilities. We ask that you respect their technical judgment throughout the coordination process.\n\n**Please note that we do not offer monetary payouts for vulnerability discoveries.** Your contributions are recognized through the improvement of the Ruby ecosystem and, where applicable, public acknowledgment in security advisories.\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-30T01:39:46.102Z"},{"id":3771852,"new_policy":"## Scope\n\n**This program is for security issues in the Ruby programming language.** Please note that the following are **outside the scope** of this program:\n* Websites (including *.ruby-lang.org)\n* Third-party applications\n* Processing Ruby code with RDoc\n\nWhile you may submit website issues, they are generally not eligible for formal security tracking under this program.\n\n### Bundled Gems\nThe bundled gems are also outside the scope of this program. You can see the list of bundled gems in [bundled_gems](https://github.com/ruby/ruby/blob/master/gems/bundled_gems). Please submit vulnerability reports for those gems directly to their respective repositories (e.g., `https://github.com/ruby/[gem name]/security/advisories/new`).\n\n## Submission Guidelines\n\nWe appreciate your contributions to making Ruby more secure. As this is a **vulnerability disclosure program without monetary rewards (bounties)**, please keep the following in mind:\n\n* **Technical Accuracy:** You are responsible for the accuracy of your report. Reports containing obvious contradictions or automated spam will be closed.\n* **Conciseness:** Please keep your report brief and focused on technical facts. A simple, reproducible Proof of Concept (PoC) is much more helpful than lengthy explanations. Avoid overstating the severity of the issue.\n* **Manual Review:** We expect you to personally review and understand every claim in your report. **Do not submit unverified content generated by automated tools or AI.** Submissions that appear to be raw, unverified AI output will be disregarded.\n\n## Vulnerability Handling Process\n\nThe Ruby core team and security maintainers have the final decision on which issues constitute security vulnerabilities. We ask that you respect their technical judgment throughout the coordination process.\n\n**Please note that we do not offer monetary payouts for vulnerability discoveries.** Your contributions are recognized through the improvement of the Ruby ecosystem and, where applicable, public acknowledgment in security advisories.\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-30T00:54:46.697Z"},{"id":3771850,"new_policy":"## Scope\n\n**This program is for security issues in the Ruby programming language.** Please note that the following are **outside the scope** of this program:\n* Websites (including *.ruby-lang.org)\n* Third-party applications\n* Processing Ruby code with RDoc\n\nWhile you may submit website issues, they are generally not eligible for formal security tracking or rewards under this program.\n\n### Bundled Gems\nThe bundled gems are also outside the scope of this program. You can see the list of bundled gems in [bundled_gems](https://github.com/ruby/ruby/blob/master/gems/bundled_gems). Please submit vulnerability reports for those gems directly to their respective repositories (e.g., `https://github.com/ruby/[gem name]/security/advisories/new`).\n\n## Submission Guidelines\n\nWe appreciate your contributions to making Ruby more secure. As this is a **vulnerability disclosure program without monetary rewards (bounties)**, please keep the following in mind:\n\n* **Technical Accuracy:** You are responsible for the accuracy of your report. Reports containing obvious contradictions or automated spam will be closed.\n* **Conciseness:** Please keep your report brief and focused on technical facts. A simple, reproducible Proof of Concept (PoC) is much more helpful than lengthy explanations. Avoid overstating the severity of the issue.\n* **Manual Review:** We expect you to personally review and understand every claim in your report. **Do not submit unverified content generated by automated tools or AI.** Submissions that appear to be raw, unverified AI output will be disregarded.\n\n## Vulnerability Handling Process\n\nThe Ruby core team and security maintainers have the final decision on which issues constitute security vulnerabilities. We ask that you respect their technical judgment throughout the coordination process.\n\n**Please note that we do not offer monetary payouts for vulnerability discoveries.** Your contributions are recognized through the improvement of the Ruby ecosystem and, where applicable, public acknowledgment in security advisories.\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-30T00:37:08.571Z"},{"id":3769721,"new_policy":"## Scope\n\n**This bounty program is for security issues in the Ruby programming language, neither websites (including *.ruby-lang.org) nor third party applications nor processing Ruby code with RDoc.** Please submit issues that are regarding the Ruby programming language.  You may also submit website issues, but in principle, they are outside the scope of the bounty program. \n\nThe bundled gems are also outside the scope of the bounty program. You can see that list with [bundled_gems](https://github.com/ruby/ruby/blob/master/gems/bundled_gems) and submit vulnerability report like `https://github.com/ruby/[gem name]/security/advisories/new`.\n\n## Submission Guidelines\n\nWe appreciate your contributions. Please keep the following in mind:\n\n* Technical Accuracy: You are responsible for the accuracy of your report. We may close reports as Spam if they contain obvious contradictions that someone reporting the issue would not make.\n\n* Conciseness: Please keep your report brief and focused on technical facts. Instead of lengthy explanations, a simple Proof of Concept (PoC) is much more helpful. Avoid excessive language or overstating the severity of the issue.\n\n* Manual Review: We expect you to personally review and understand every claim in your report. Do not submit unverified content generated by automated tools or AI.\n\n## Internet Bug Bounty Qualification\n\nThe Internet Bug Bounty awards security research on Ruby. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to Ruby to continue to support the vulnerability remediation efforts.\n\nTo submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions **after the project maintainers have resolved the vulnerability.**\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-02-16T08:54:39.191Z"},{"id":3747469,"new_policy":"**This bounty program is for security issues in the Ruby programming language, neither websites (including *.ruby-lang.org) nor third party applications nor processing Ruby code with RDoc.** Please submit issues that are regarding the Ruby programming language.  You may also submit website issues, but in principle, they are outside the scope of the bounty program. \n\nThe bundled gems are also outside the scope of the bounty program. You can see that list with [bundled_gems](https://github.com/ruby/ruby/blob/master/gems/bundled_gems) and submit vulnerability report like `https://github.com/ruby/[gem name]/security/advisories/new`.\n\n# Internet Bug Bounty Qualification\n\nThe Internet Bug Bounty awards security research on Ruby. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to Ruby to continue to support the vulnerability remediation efforts.\n\nTo submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions **after the project maintainers have resolved the vulnerability.**\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-01-06T08:28:02.011Z"},{"id":3697785,"new_policy":"**This bounty program is for security issues in the Ruby programming language, neither websites (including *.ruby-lang.org) nor third party applications nor processing Ruby code with RDoc.** Please submit issues that are regarding the Ruby programming language.  You may also submit website issues, but in principle, they are outside the scope of the bounty program. \nDocumentation on Ruby can be [found here](https://www.ruby-lang.org/en/documentation/).\n\n# Internet Bug Bounty Qualification\n\nThe Internet Bug Bounty awards security research on Ruby. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to Ruby to continue to support the vulnerability remediation efforts.\n\nTo submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions **after the project maintainers have resolved the vulnerability.**\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-07-13T06:25:25.560Z"},{"id":3658667,"new_policy":"**This bounty program is for security issues in the Ruby programming language, neither websites (including *.ruby-lang.org) nor third party applications.** Please submit issues that are regarding the Ruby programming language.  You may also submit website issues, but in principle, they are outside the scope of the bounty program.\n\nDocumentation on Ruby can be [found here](https://www.ruby-lang.org/en/documentation/).\n\n# Internet Bug Bounty Qualification\n\nThe Internet Bug Bounty awards security research on Ruby. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to Ruby to continue to support the vulnerability remediation efforts.\n\nTo submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions **after the project maintainers have resolved the vulnerability.**\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-21T15:22:44.172Z"},{"id":3624481,"new_policy":"**This bounty program is for security issues in the Ruby programming language, neither websites (including *.ruby-lang.org) nor third party applications.** Please submit issues that are regarding the Ruby programming language.  You may also submit website issues, but in principle, they are outside the scope of the bounty program.\n\nDocumentation on Ruby can be [found here](https://www.ruby-lang.org/en/documentation/).\n\n# Internet Bug Bounty Qualification\n\nOnly vulnerabilities that demonstrate security impact to the system's integrity or confidentiality are eligible for a bounty - typically Arbitrary Code Execution or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not eligible for bounty at this time.\n\n| Impact |\n| ----- | \n| **Critical** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | \n| **High** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | \n| **Medium** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | \n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-11-25T03:34:47.127Z"},{"id":3609277,"new_policy":"**This bounty program is for security issues in the Ruby programming language, neither websites (including *.ruby-lang.org) nor third party applications.** Please submit issues that are regarding the Ruby programming language.\n\nDocumentation on Ruby can be [found here](https://www.ruby-lang.org/en/documentation/).\n\n# Internet Bug Bounty Qualification\n\nOnly vulnerabilities that demonstrate security impact to the system's integrity or confidentiality are eligible for a bounty - typically Arbitrary Code Execution or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not eligible for bounty at this time.\n\n| Impact |\n| ----- | \n| **Critical** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | \n| **High** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | \n| **Medium** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | \n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\n## Safe Harbor\n\nAny activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2019-05-10T21:22:27.809Z"},{"id":3567443,"new_policy":"**This issue tracker is for security issues in the Ruby programming language, neither websites (including *.ruby-lang.org) nor third party applications.** Please submit issues that are regarding the Ruby programming language.\n\n# Internet Bug Bounty Qualification\n\nOnly critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-01-25T00:42:59.713Z"},{"id":3567442,"new_policy":"** This issue tracker is for security issues in the Ruby programming language, neither websites (including *.ruby-lang.org) nor third party applications. ** Please submit issues that are regarding the Ruby programming language.\n\n# Internet Bug Bounty Qualification\n\nOnly critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-01-25T00:42:28.644Z"},{"id":3567441,"new_policy":"# Policy\n\n** This issue tracker is for security issues in the Ruby programming language, neither websites (including *.ruby-lang.org) nor third party applications. ** Please submit issues that are regarding the Ruby programming language.\n\n# Internet Bug Bounty Qualification\n\nOnly critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2018-01-25T00:41:55.487Z"},{"id":2955956,"new_policy":"# This issue tracker is for security issues in the Ruby programming language, neither websites (including www.ruby-lang.org) nor third party applications. Please submit issues that are regarding the Ruby programming language.\n\nRuby is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\nInternet Bug Bounty Qualification\n==========\nOnly critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-24T01:07:22.983Z"},{"id":2931577,"new_policy":"# This issue tracker is for security issues in the Ruby programming language, not a website or third party applications. Please submit issues that are regarding the Ruby programming language.\n\nRuby is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\nInternet Bug Bounty Qualification\n==========\nOnly critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-21T00:44:12.578Z"},{"id":2927904,"new_policy":"**This issue tracker is for security issues in the Ruby programming language, not a website or third party applications. Please submit issues that are regarding the Ruby programming language.**\n\nRuby is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\nInternet Bug Bounty Qualification\n==========\nOnly critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-20T10:58:45.656Z"},{"id":2926597,"new_policy":"**This issue tracker is for security issues in the Ruby programming language, not an website or third party applications. Please submit issues that are regarding the Ruby programming language.**\n\nRuby is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\nBounty Qualification\n==========\nOnly critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The Panel will respect their decision, and we ask that you do as well.\n\nIt's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\nSubmission Process\n===========\n* Disclose a previously unknown security vulnerability [directly to the project maintainers](/ruby/reports/new).\n* Follow the disclosure process established by the project maintainers.\n* Clearly demonstrate the security vulnerability. Respect the time of the project volunteers as they cannot invest significant effort into incomplete reports. Low-quality reports may be disqualified.\n* Once a public security advisory has been issued, please contact us at **panel@internetbugbounty.org**. You **must not** send us the details of the vulnerability until it has been validated, accepted, and publicly disclosed by the project maintainers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-19T23:37:11.511Z"},{"id":2926576,"new_policy":"Ruby is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\n**This issue tracker is for security issues in the Ruby programming language, not an website or third party applications. Please submit issues that are regarding the Ruby programming language.**\n\nBounty Qualification\n==========\nOnly critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The Panel will respect their decision, and we ask that you do as well.\n\nIt's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\nSubmission Process\n===========\n* Disclose a previously unknown security vulnerability [directly to the project maintainers](/ruby/reports/new).\n* Follow the disclosure process established by the project maintainers.\n* Clearly demonstrate the security vulnerability. Respect the time of the project volunteers as they cannot invest significant effort into incomplete reports. Low-quality reports may be disqualified.\n* Once a public security advisory has been issued, please contact us at **panel@internetbugbounty.org**. You **must not** send us the details of the vulnerability until it has been validated, accepted, and publicly disclosed by the project maintainers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-19T23:30:05.460Z"},{"id":2918775,"new_policy":"Ruby is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\nBounty Qualification\n==========\nOnly critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The Panel will respect their decision, and we ask that you do as well.\n\nIt's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\nSubmission Process\n===========\n* Disclose a previously unknown security vulnerability [directly to the project maintainers](/ruby/reports/new).\n* Follow the disclosure process established by the project maintainers.\n* Clearly demonstrate the security vulnerability. Respect the time of the project volunteers as they cannot invest significant effort into incomplete reports. Low-quality reports may be disqualified.\n* Once a public security advisory has been issued, please contact us at **panel@internetbugbounty.org**. You **must not** send us the details of the vulnerability until it has been validated, accepted, and publicly disclosed by the project maintainers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-17T22:53:39.289Z"},{"id":2918773,"new_policy":"Ruby is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.\n\nBounty Qualification\n==========\nOnly critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The Panel will respect their decision, and we ask that you do as well.\n\nIt's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\nSubmission Process\n===========\n* Disclose a previously unknown security vulnerability [directly to the project maintainers](/ruby/reports/new).\n* Follow the disclosure process established by the project maintainers.\n* Clearly demonstrate the security vulnerability. Respect the time of the project volunteers as they cannot invest significant effort into incomplete reports. Low-quality reports may be disqualified.\n* Once a public security advisory has been issued, please contact us at **panel@internetbugbounty.org**. You **must not** send us the details of the vulnerability until it has been validated, accepted, and publicly disclosed by the project maintainers.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-06-17T22:53:39.089Z"}]