[{"id":3771851,"new_policy":"Found a security issue with RubyGems or RubyGems.org? Please follow these steps to report it.\n\n# Reporting RubyGems.org Website Problems\n\nIf you're having trouble pushing a gem, or otherwise need help with your RubyGems.org account, please send a mail to [support address](mailto:support@rubygems.org).\n\n# Reporting a security issue\n\nPlease ensure this is a security issue for the RubyGems client or the RubyGems.org service. This tracker is only for security issues with RubyGems, Bundler, or the RubyGems.org website.\n\n**Please note: This is a vulnerability disclosure program without monetary rewards (bounties).** We appreciate your help in keeping the ecosystem safe, but we do not offer financial compensation for reports.\n\nFor all vulnerabilities with individual gems, follow our guide on [reporting security issues](http://guides.rubygems.org/security/#reporting-security-vulnerabilities) with others' gems. If it's a security issue with the Ruby on Rails framework, see the [Rails Security guide](https://rubyonrails.org/security).\n\nPlease note: the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers), the [rubygems.org mailing list](https://groups.google.com/forum/#!forum/rubygems-org), and the Bundler slack are public areas. If escalating to these places, please do not discuss your issue, simply say that you’re trying to get a hold of someone from the security team. Thanks in advance for responsibly disclosing your security issue.\n\n# Disclosure Process\n\nRubyGems and RubyGems.org follow a 5 step disclosure process:\n\n1. Security report received and is assigned a primary handler. This person will coordinate the fix and release process.\n2. Problem is confirmed and, a list of all affected versions is determined. Code is audited to find any potential similar problems.\n3. Fixes are prepared for all releases which are still supported. These fixes are not committed to the public repository but rather held locally pending the announcement.\n4. A suggested embargo date for this vulnerability is chosen.\n5. On the embargo date, the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers) is sent an announcement. This will include patches for all versions still under support. The changes are pushed to the public repository and new gems released to rubygems. At least 6 hours after the mailing list is notified, a copy of the advisory will be published on the [RubyGems.org blog](http://blog.rubygems.org/).\n\nThis process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.\n\n# Disclosure Policy\n* **Manual Review Required:** We expect you to personally review and understand every claim in your report. **Do not submit unverified content generated by automated tools or AI.** Submissions that appear to be raw, unverified AI output or lack a manual proof-of-concept will be disregarded.\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Exclusions\n\nWe do not accept reports about third party services we use or our public S3 buckets containing database dumps. For a detailed list of included and excluded scopes, see [the Scopes tab](https://hackerone.com/rubygems/policy_scopes).\n\nDo not engage in:\n* Denial of service\n* Spamming\n* Brute-force attacks\n* Social engineering (including phishing) of RubyGems.org staff or volunteers\n* Any physical attempts against RubyGems.org property or data centers\n* Using scanners or automated tools to find vulnerabilities - they’re noisy and lead to false positives\n\n# Receiving Security Updates\n\nThe best way to receive all the security announcements is to subscribe to the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers).\n\nNo one outside the core team or the initial reporter will be notified prior to the lifting of the embargo. We regret that we cannot make exceptions to this policy for high traffic or important sites, as any disclosure beyond the minimum required to coordinate a fix could cause an early leak of the vulnerability.\n\n# Decision Authority\n\nThe project maintainers have the final decision on which issues constitute security vulnerabilities. Their technical judgment is final, and we ask that you respect the decision regarding the severity and validity of any reported issue.\n\n# Comments on this Policy\n\nIf you have any suggestions to improve this policy, please send an email to security@rubygems.org.\n\nThank you for helping keep RubyGems and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-30T00:44:35.636Z"},{"id":3760065,"new_policy":"Found a security issue with RubyGems or RubyGems.org? Please follow these steps to report it.\n\n# Reporting RubyGems.org Website Problems\n\nIf you're having trouble pushing a gem, or otherwise need help with your RubyGems.org account, please  send a mail to [support address](mailto:support@rubygems.org).\n\n# Reporting a security issue\n\nPlease ensure this is a security issue for the RubyGems client or the RubyGems.org service. This tracker is only for security issues with RubyGems, Bundler, or the RubyGems.org website.\n\nFor all vulnerabilities with individual gems, follow our guide on [reporting security issues](http://guides.rubygems.org/security/#reporting-security-vulnerabilities) with others' gems. If it's a security issue with the Ruby on Rails framework, see the [Rails Security guide](https://rubyonrails.org/security).\n\nPlease note: the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers), the [rubygems.org mailing list](https://groups.google.com/forum/#!forum/rubygems-org), and the Bundler slack are public areas. If escalating to these places, please do not discuss your issue, simply say that you’re trying to get a hold of someone from the security team. Thanks in advance for responsibly disclosing your security issue.\n\n# Disclosure Process\n\nRubyGems and RubyGems.org follow a 5 step disclosure process:\n\n1. Security report received and is assigned a primary handler. This person will coordinate the fix and release process.\n2. Problem is confirmed and, a list of all affected versions is determined. Code is audited to find any potential similar problems.\n3. Fixes are prepared for all releases which are still supported. These fixes are not committed to the public repository but rather held locally pending the announcement.\n4. A suggested embargo date for this vulnerability is chosen.\n5. On the embargo date, the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers) is sent an announcement. This will include patches for all versions still under support. The changes are pushed to the public repository and new gems released to rubygems. At least 6 hours after the mailing list is notified, a copy of the advisory will be published on the [RubyGems.org blog](http://blog.rubygems.org/).\n\nThis process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Exclusions\n\nWe do not accept reports about third party services we use or our public S3 buckets containing database dumps. For a detailed list of included and excluded scopes, see [the Scopes tab](https://hackerone.com/rubygems/policy_scopes).\n\nDo not engage in:\n* Denial of service\n* Spamming\n* Brute-force attacks\n* Social engineering (including phishing) of RubyGems.org staff or volunteers\n* Any physical attempts against RubyGems.org property or data centers\n* Using scanners or automated tools to find vulnerabilities - they’re noisy and lead to false positives\n\n# Receiving Security Updates\n\nThe best way to receive all the security announcements is to subscribe to the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers).\n\nNo one outside the core team or the initial reporter will be notified prior to the lifting of the embargo. We regret that we cannot make exceptions to this policy for high traffic or important sites, as any disclosure beyond the minimum required to coordinate a fix could cause an early leak of the vulnerability.\n\n# Internet Bug Bounty Qualification\nThe Internet Bug Bounty awards security research on RubyGems. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to Ruby to continue to support the vulnerability remediation efforts.\n\nTo submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions. For bounty rewards, only the [rubygems library](https://github.com/rubygems/rubygems) and rubygems.org domain are in scope. \n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.\n\n# Comments on this Policy\n\nIf you have any suggestions to improve this policy, please send an email to security@rubygems.org.\n\nThank you for helping keep RubyGems and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-28T05:55:19.388Z"},{"id":3707445,"new_policy":"Found a security issue with RubyGems or RubyGems.org? Please follow these steps to report it.\n\n# Reporting RubyGems.org Website Problems\n\nIf you're having trouble pushing a gem, or otherwise need help with your RubyGems.org account, please use the help site to [open a support ticket](http://support.rubygems.org).\n\n# Reporting a security issue\n\nPlease ensure this is a security issue for the RubyGems client or the RubyGems.org service. This tracker is only for security issues with RubyGems, Bundler, or the RubyGems.org website.\n\nFor all vulnerabilities with individual gems, follow our guide on [reporting security issues](http://guides.rubygems.org/security/#reporting-security-vulnerabilities) with others' gems. If it's a security issue with the Ruby on Rails framework, see the [Rails Security guide](http://rubyonrails.org/security/).\n\nPlease note: the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers), the [rubygems.org mailing list](https://groups.google.com/forum/#!forum/rubygems-org), and the Bundler slack are public areas. If escalating to these places, please do not discuss your issue, simply say that you’re trying to get a hold of someone from the security team. Thanks in advance for responsibly disclosing your security issue.\n\n# Disclosure Process\n\nRubyGems and RubyGems.org follow a 5 step disclosure process:\n\n1. Security report received and is assigned a primary handler. This person will coordinate the fix and release process.\n2. Problem is confirmed and, a list of all affected versions is determined. Code is audited to find any potential similar problems.\n3. Fixes are prepared for all releases which are still supported. These fixes are not committed to the public repository but rather held locally pending the announcement.\n4. A suggested embargo date for this vulnerability is chosen.\n5. On the embargo date, the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers) is sent an announcement. This will include patches for all versions still under support. The changes are pushed to the public repository and new gems released to rubygems. At least 6 hours after the mailing list is notified, a copy of the advisory will be published on the [RubyGems.org blog](http://blog.rubygems.org/).\n\nThis process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Exclusions\n\nWe do not accept reports about third party services we use or our public S3 buckets containing database dumps. For a detailed list of included and excluded scopes, see [the Scopes tab](https://hackerone.com/rubygems/policy_scopes).\n\nDo not engage in:\n* Denial of service\n* Spamming\n* Brute-force attacks\n* Social engineering (including phishing) of RubyGems.org staff or volunteers\n* Any physical attempts against RubyGems.org property or data centers\n* Using scanners or automated tools to find vulnerabilities - they’re noisy and lead to false positives\n\n# Receiving Security Updates\n\nThe best way to receive all the security announcements is to subscribe to the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers).\n\nNo one outside the core team or the initial reporter will be notified prior to the lifting of the embargo. We regret that we cannot make exceptions to this policy for high traffic or important sites, as any disclosure beyond the minimum required to coordinate a fix could cause an early leak of the vulnerability.\n\n# Internet Bug Bounty Qualification\nThe Internet Bug Bounty awards security research on RubyGems. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to Ruby to continue to support the vulnerability remediation efforts.\n\nTo submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions. For bounty rewards, only the [rubygems library](https://github.com/rubygems/rubygems) and rubygems.org domain are in scope. \n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.\n\n# Comments on this Policy\n\nIf you have any suggestions to improve this policy, please send an email to security@rubygems.org.\n\nThank you for helping keep RubyGems and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2023-11-23T00:51:23.394Z"},{"id":3663335,"new_policy":"Found a security issue with RubyGems or RubyGems.org? Please follow these steps to report it.\n\n**For bounty rewards, only the rubygems library is in scope (does not include the deprecated `gem serve` command).**\n\n# Reporting a security issue\n\nBefore continuing, please ensure this is a security issue for the RubyGems client or the RubyGems.org service. For all vulnerabilities with individual gems, follow our guide on [reporting security issues](http://guides.rubygems.org/security/#reporting-security-vulnerabilities) with others' gems. If it's a security issue with the Ruby on Rails framework, see the [Rails Security guide](http://rubyonrails.org/security/).\n\nFor any security bug or issue with the RubyGems client or RubyGems.org service, please let us know here with details about the problem.\n\nPlease note: the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers), the [rubygems.org mailing list](https://groups.google.com/forum/#!forum/rubygems-org), and the #rubygems IRC channel are public areas. If escalating to these places, please do not discuss your issue, simply say that you’re trying to get a hold of someone from the security team. Thanks in advance for responsibly disclosing your security issue.\n\n# Reporting RubyGems.org Website Problems\n\nIf you're having trouble pushing a gem, or otherwise need help with your RubyGems.org account, please open a new help issue.\n\nFor bugs or other problems with RubyGems.org, please use the RubyGems.org help site to [open a new issue](http://help.rubygems.org).\n\n# Disclosure Process\n\nRubyGems and RubyGems.org follow a 5 step disclosure process:\n\n1. Security report received and is assigned a primary handler. This person will coordinate the fix and release process.\n2. Problem is confirmed and, a list of all affected versions is determined. Code is audited to find any potential similar problems.\n3. Fixes are prepared for all releases which are still supported. These fixes are not committed to the public repository but rather held locally pending the announcement.\n4. A suggested embargo date for this vulnerability is chosen.\n5. On the embargo date, the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers) is sent an announcement. This will include patches for all versions still under support. The changes are pushed to the public repository and new gems released to rubygems. At least 6 hours after the mailing list is notified, a copy of the advisory will be published on the [RubyGems.org blog](http://blog.rubygems.org/).\n\nThis process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Brute-force attacks\n* Social engineering (including phishing) of RubyGems.org staff or volunteers\n* Any physical attempts against RubyGems.org property or data centers\n* Using scanners or automated tools to find vulnerabilities - they’re noisy and lead to false positives\n\n# Receiving Security Updates\n\nThe best way to receive all the security announcements is to subscribe to the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers).\n\nNo one outside the core team or the initial reporter will be notified prior to the lifting of the embargo. We regret that we cannot make exceptions to this policy for high traffic or important sites, as any disclosure beyond the minimum required to coordinate a fix could cause an early leak of the vulnerability.\n\n# Internet Bug Bounty Qualification\nThe Internet Bug Bounty awards security research on RubyGems. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to Ruby to continue to support the vulnerability remediation efforts.\n\nTo submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions. For bounty rewards, only the [rubygems library](https://github.com/rubygems/rubygems) and rubygems.org domain are in scope. \n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.\n\n# Comments on this Policy\n\nIf you have any suggestions to improve this policy, please send an email to security@rubygems.org.\n\nThank you for helping keep RubyGems and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-12-22T19:35:01.724Z"},{"id":3658666,"new_policy":"Found a security issue with RubyGems or RubyGems.org? Please follow these steps to report it.\n\n**For bounty rewards, only the rubygems library is in scope (does not include the deprecated `gem serve` command).**\n\n# Reporting a security issue\n\nBefore continuing, please ensure this is a security issue for the RubyGems client or the RubyGems.org service. For all vulnerabilities with individual gems, follow our guide on [reporting security issues](http://guides.rubygems.org/security/#reporting-security-vulnerabilities) with others' gems. If it's a security issue with the Ruby on Rails framework, see the [Rails Security guide](http://rubyonrails.org/security/).\n\nFor any security bug or issue with the RubyGems client or RubyGems.org service, please let us know here with details about the problem.\n\nPlease note: the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers), the [rubygems.org mailing list](https://groups.google.com/forum/#!forum/rubygems-org), and the #rubygems IRC channel are public areas. If escalating to these places, please do not discuss your issue, simply say that you’re trying to get a hold of someone from the security team. Thanks in advance for responsibly disclosing your security issue.\n\n# Reporting RubyGems.org Website Problems\n\nIf you're having trouble pushing a gem, or otherwise need help with your RubyGems.org account, please open a new help issue.\n\nFor bugs or other problems with RubyGems.org, please use the RubyGems.org help site to [open a new issue](http://help.rubygems.org).\n\n# Disclosure Process\n\nRubyGems and RubyGems.org follow a 5 step disclosure process:\n\n1. Security report received and is assigned a primary handler. This person will coordinate the fix and release process.\n2. Problem is confirmed and, a list of all affected versions is determined. Code is audited to find any potential similar problems.\n3. Fixes are prepared for all releases which are still supported. These fixes are not committed to the public repository but rather held locally pending the announcement.\n4. A suggested embargo date for this vulnerability is chosen.\n5. On the embargo date, the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers) is sent an announcement. This will include patches for all versions still under support. The changes are pushed to the public repository and new gems released to rubygems. At least 6 hours after the mailing list is notified, a copy of the advisory will be published on the [RubyGems.org blog](http://blog.rubygems.org/).\n\nThis process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Brute-force attacks\n* Social engineering (including phishing) of RubyGems.org staff or volunteers\n* Any physical attempts against RubyGems.org property or data centers\n* Using scanners or automated tools to find vulnerabilities - they’re noisy and lead to false positives\n\n# Receiving Security Updates\n\nThe best way to receive all the security announcements is to subscribe to the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers).\n\nNo one outside the core team or the initial reporter will be notified prior to the lifting of the embargo. We regret that we cannot make exceptions to this policy for high traffic or important sites, as any disclosure beyond the minimum required to coordinate a fix could cause an early leak of the vulnerability.\n\n# Internet Bug Bounty Qualification\nThe Internet Bug Bounty awards security research on RubyGems. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to Ruby to continue to support the vulnerability remediation efforts.\n\nTo submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions. For bounty rewards, only the [rubygems library](https://github.com/rubygems/rubygems) is in scope. \n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.\n\n# Comments on this Policy\n\nIf you have any suggestions to improve this policy, please send an email to security@rubygems.org.\n\nThank you for helping keep RubyGems and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-21T15:16:36.514Z"},{"id":3658195,"new_policy":"Found a security issue with RubyGems or RubyGems.org? Please follow these steps to report it.\n\n**For bounty rewards, only the rubygems library is in scope (does not include the deprecated `gem serve` command).**\n\n# Reporting a security issue\n\nBefore continuing, please ensure this is a security issue for the RubyGems client or the RubyGems.org service. For all vulnerabilities with individual gems, follow our guide on [reporting security issues](http://guides.rubygems.org/security/#reporting-security-vulnerabilities) with others' gems. If it's a security issue with the Ruby on Rails framework, see the [Rails Security guide](http://rubyonrails.org/security/).\n\nFor any security bug or issue with the RubyGems client or RubyGems.org service, please let us know here with details about the problem.\n\nPlease note: the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers), the [rubygems.org mailing list](https://groups.google.com/forum/#!forum/rubygems-org), and the #rubygems IRC channel are public areas. If escalating to these places, please do not discuss your issue, simply say that you’re trying to get a hold of someone from the security team. Thanks in advance for responsibly disclosing your security issue.\n\n# Reporting RubyGems.org Website Problems\n\nIf you're having trouble pushing a gem, or otherwise need help with your RubyGems.org account, please open a new help issue.\n\nFor bugs or other problems with RubyGems.org, please use the RubyGems.org help site to [open a new issue](http://help.rubygems.org).\n\n# Disclosure Process\n\nRubyGems and RubyGems.org follow a 5 step disclosure process:\n\n1. Security report received and is assigned a primary handler. This person will coordinate the fix and release process.\n2. Problem is confirmed and, a list of all affected versions is determined. Code is audited to find any potential similar problems.\n3. Fixes are prepared for all releases which are still supported. These fixes are not committed to the public repository but rather held locally pending the announcement.\n4. A suggested embargo date for this vulnerability is chosen.\n5. On the embargo date, the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers) is sent an announcement. This will include patches for all versions still under support. The changes are pushed to the public repository and new gems released to rubygems. At least 6 hours after the mailing list is notified, a copy of the advisory will be published on the [RubyGems.org blog](http://blog.rubygems.org/).\n\nThis process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Brute-force attacks\n* Social engineering (including phishing) of RubyGems.org staff or volunteers\n* Any physical attempts against RubyGems.org property or data centers\n* Using scanners or automated tools to find vulnerabilities - they’re noisy and lead to false positives\n\n# Receiving Security Updates\n\nThe best way to receive all the security announcements is to subscribe to the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers).\n\nNo one outside the core team or the initial reporter will be notified prior to the lifting of the embargo. We regret that we cannot make exceptions to this policy for high traffic or important sites, as any disclosure beyond the minimum required to coordinate a fix could cause an early leak of the vulnerability.\n\n# Internet Bug Bounty Qualification\nFor bounty rewards, only the [rubygems library](https://github.com/rubygems/rubygems) is in scope. Also, only critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope for the bounty at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\n# Comments on this Policy\n\nIf you have any suggestions to improve this policy, please send an email to security@rubygems.org.\n\nThank you for helping keep RubyGems and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2021-09-12T06:06:53.055Z"},{"id":3539834,"new_policy":"Found a security issue with RubyGems or RubyGems.org? Please follow these steps to report it.\n\n**For bounty rewards, only the rubygems library is in scope.**\n\n# Reporting a security issue\n\nBefore continuing, please ensure this is a security issue for the RubyGems client or the RubyGems.org service. For all vulnerabilities with individual gems, follow our guide on [reporting security issues](http://guides.rubygems.org/security/#reporting-security-vulnerabilities) with others' gems. If it's a security issue with the Ruby on Rails framework, see the [Rails Security guide](http://rubyonrails.org/security/).\n\nFor any security bug or issue with the RubyGems client or RubyGems.org service, please let us know here with details about the problem.\n\nPlease note: the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers), the [rubygems.org mailing list](https://groups.google.com/forum/#!forum/rubygems-org), and the #rubygems IRC channel are public areas. If escalating to these places, please do not discuss your issue, simply say that you’re trying to get a hold of someone from the security team. Thanks in advance for responsibly disclosing your security issue.\n\n# Reporting RubyGems.org Website Problems\n\nIf you're having trouble pushing a gem, or otherwise need help with your RubyGems.org account, please open a new help issue.\n\nFor bugs or other problems with RubyGems.org, please use the RubyGems.org help site to [open a new issue](http://help.rubygems.org).\n\n# Disclosure Process\n\nRubyGems and RubyGems.org follow a 5 step disclosure process:\n\n1. Security report received and is assigned a primary handler. This person will coordinate the fix and release process.\n2. Problem is confirmed and, a list of all affected versions is determined. Code is audited to find any potential similar problems.\n3. Fixes are prepared for all releases which are still supported. These fixes are not committed to the public repository but rather held locally pending the announcement.\n4. A suggested embargo date for this vulnerability is chosen.\n5. On the embargo date, the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers) is sent an announcement. This will include patches for all versions still under support. The changes are pushed to the public repository and new gems released to rubygems. At least 6 hours after the mailing list is notified, a copy of the advisory will be published on the [RubyGems.org blog](http://blog.rubygems.org/).\n\nThis process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Brute-force attacks\n* Social engineering (including phishing) of RubyGems.org staff or volunteers\n* Any physical attempts against RubyGems.org property or data centers\n* Using scanners or automated tools to find vulnerabilities - they’re noisy and lead to false positives\n\n# Receiving Security Updates\n\nThe best way to receive all the security announcements is to subscribe to the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers).\n\nNo one outside the core team or the initial reporter will be notified prior to the lifting of the embargo. We regret that we cannot make exceptions to this policy for high traffic or important sites, as any disclosure beyond the minimum required to coordinate a fix could cause an early leak of the vulnerability.\n\n# Internet Bug Bounty Qualification\nFor bounty rewards, only the [rubygems library](https://github.com/rubygems/rubygems) is in scope. Also, only critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope for the bounty at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\n# Comments on this Policy\n\nIf you have any suggestions to improve this policy, please send an email to security@rubygems.org.\n\nThank you for helping keep RubyGems and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-10-03T01:30:10.445Z"},{"id":3538594,"new_policy":"Found a security issue with RubyGems or RubyGems.org? Please follow these steps to report it.\n\n**For bounty rewards, only the rubygems library is in scope.**\n\n# Reporting a security issue\n\nBefore continuing, please ensure this is a security issue for the RubyGems client or the RubyGems.org service. For all vulnerabilities with individual gems, follow our guide on [reporting security issues](http://guides.rubygems.org/security/#reporting-security-vulnerabilities) with others' gems. If it's a security issue with the Ruby on Rails framework, see the [Rails Security guide](http://rubyonrails.org/security/).\n\nFor any security bug or issue with the RubyGems client or RubyGems.org service, please let us know here with details about the problem.\n\nPlease note: the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers), the [rubygems.org mailing list](https://groups.google.com/forum/#!forum/rubygems-org), and the #rubygems IRC channel are public areas. If escalating to these places, please do not discuss your issue, simply say that you’re trying to get a hold of someone from the security team. Thanks in advance for responsibly disclosing your security issue.\n\n# Reporting RubyGems.org Website Problems\n\nIf you're having trouble pushing a gem, or otherwise need help with your RubyGems.org account, please open a new help issue.\n\nFor bugs or other problems with RubyGems.org, please use the RubyGems.org help site to [open a new issue](http://help.rubygems.org).\n\n# Disclosure Process\n\nRubyGems and RubyGems.org follow a 5 step disclosure process:\n\n1. Security report received and is assigned a primary handler. This person will coordinate the fix and release process.\n2. Problem is confirmed and, a list of all affected versions is determined. Code is audited to find any potential similar problems.\n3. Fixes are prepared for all releases which are still supported. These fixes are not committed to the public repository but rather held locally pending the announcement.\n4. A suggested embargo date for this vulnerability is chosen.\n5. On the embargo date, the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers) is sent an announcement. This will include patches for all versions still under support. The changes are pushed to the public repository and new gems released to rubygems. At least 6 hours after the mailing list is notified, a copy of the advisory will be published on the [RubyGems.org blog](http://blog.rubygems.org/).\n\nThis process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Brute-force attacks\n* Social engineering (including phishing) of RubyGems.org staff or volunteers\n* Any physical attempts against RubyGems.org property or data centers\n\n# Receiving Security Updates\n\nThe best way to receive all the security announcements is to subscribe to the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers).\n\nNo one outside the core team or the initial reporter will be notified prior to the lifting of the embargo. We regret that we cannot make exceptions to this policy for high traffic or important sites, as any disclosure beyond the minimum required to coordinate a fix could cause an early leak of the vulnerability.\n\n# Internet Bug Bounty Qualification\nFor bounty rewards, only the [rubygems library](https://github.com/rubygems/rubygems) is in scope. Also, only critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope for the bounty at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\n# Comments on this Policy\n\nIf you have any suggestions to improve this policy, please send an email to security@rubygems.org.\n\nThank you for helping keep RubyGems and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-07T01:48:20.736Z"},{"id":3538593,"new_policy":"Found a security issue with RubyGems or RubyGems.org? Please follow these steps to report it.\n\n# Reporting a security issue\n\nBefore continuing, please ensure this is a security issue for the RubyGems client or the RubyGems.org service. For all vulnerabilities with individual gems, follow our guide on [reporting security issues](http://guides.rubygems.org/security/#reporting-security-vulnerabilities) with others' gems. If it's a security issue with the Ruby on Rails framework, see the [Rails Security guide](http://rubyonrails.org/security/).\n\nFor any security bug or issue with the RubyGems client or RubyGems.org service, please let us know here with details about the problem.\n\nPlease note: the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers), the [rubygems.org mailing list](https://groups.google.com/forum/#!forum/rubygems-org), and the #rubygems IRC channel are public areas. If escalating to these places, please do not discuss your issue, simply say that you’re trying to get a hold of someone from the security team. Thanks in advance for responsibly disclosing your security issue.\n\n# Reporting RubyGems.org Website Problems\n\nIf you're having trouble pushing a gem, or otherwise need help with your RubyGems.org account, please open a new help issue.\n\nFor bugs or other problems with RubyGems.org, please use the RubyGems.org help site to [open a new issue](http://help.rubygems.org).\n\n# Disclosure Process\n\nRubyGems and RubyGems.org follow a 5 step disclosure process:\n\n1. Security report received and is assigned a primary handler. This person will coordinate the fix and release process.\n2. Problem is confirmed and, a list of all affected versions is determined. Code is audited to find any potential similar problems.\n3. Fixes are prepared for all releases which are still supported. These fixes are not committed to the public repository but rather held locally pending the announcement.\n4. A suggested embargo date for this vulnerability is chosen.\n5. On the embargo date, the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers) is sent an announcement. This will include patches for all versions still under support. The changes are pushed to the public repository and new gems released to rubygems. At least 6 hours after the mailing list is notified, a copy of the advisory will be published on the [RubyGems.org blog](http://blog.rubygems.org/).\n\nThis process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Brute-force attacks\n* Social engineering (including phishing) of RubyGems.org staff or volunteers\n* Any physical attempts against RubyGems.org property or data centers\n\n# Receiving Security Updates\n\nThe best way to receive all the security announcements is to subscribe to the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers).\n\nNo one outside the core team or the initial reporter will be notified prior to the lifting of the embargo. We regret that we cannot make exceptions to this policy for high traffic or important sites, as any disclosure beyond the minimum required to coordinate a fix could cause an early leak of the vulnerability.\n\n# Internet Bug Bounty Qualification\nFor bounty rewards, only the [rubygems library](https://github.com/rubygems/rubygems) is in scope. Also, only critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope for the bounty at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\n# Comments on this Policy\n\nIf you have any suggestions to improve this policy, please send an email to security@rubygems.org.\n\nThank you for helping keep RubyGems and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-06T22:50:22.510Z"},{"id":3538581,"new_policy":"Found a security issue with RubyGems or RubyGems.org? Please follow these steps to report it.\n\n# Reporting a security issue\n\nBefore continuing, please ensure this is a security issue for the RubyGems client or the RubyGems.org service. For all vulnerabilities with individual gems, follow our guide on [reporting security issues](http://guides.rubygems.org/security/#reporting-security-vulnerabilities) with others' gems. If it's a security issue with the Ruby on Rails framework, see the [Rails Security guide](http://rubyonrails.org/security/).\n\nFor any security bug or issue with the RubyGems client or RubyGems.org service, please let us know here with details about the problem.\n\nPlease note: the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers), the [rubygems.org mailing list](https://groups.google.com/forum/#!forum/rubygems-org), and the #rubygems IRC channel are public areas. If escalating to these places, please do not discuss your issue, simply say that you’re trying to get a hold of someone from the security team. Thanks in advance for responsibly disclosing your security issue.\n\n# Reporting RubyGems.org Website Problems\n\nIf you're having trouble pushing a gem, or otherwise need help with your RubyGems.org account, please open a new help issue.\n\nFor bugs or other problems with RubyGems.org, please use the RubyGems.org help site to [open a new issue](http://help.rubygems.org).\n\n# Disclosure Process\n\nRubyGems and RubyGems.org follow a 5 step disclosure process:\n\n1. Security report received and is assigned a primary handler. This person will coordinate the fix and release process.\n2. Problem is confirmed and, a list of all affected versions is determined. Code is audited to find any potential similar problems.\n3. Fixes are prepared for all releases which are still supported. These fixes are not committed to the public repository but rather held locally pending the announcement.\n4. A suggested embargo date for this vulnerability is chosen.\n5. On the embargo date, the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers) is sent an announcement. This will include patches for all versions still under support. The changes are pushed to the public repository and new gems released to rubygems. At least 6 hours after the mailing list is notified, a copy of the advisory will be published on the [RubyGems.org blog](http://blog.rubygems.org/).\n\nThis process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.\n\n# Disclosure Policy\n* Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.\n* Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.\n\n# Exclusions\nWhile researching, we'd like to ask you to refrain from:\n* Denial of service\n* Spamming\n* Social engineering (including phishing) of RubyGems.org staff or volunteers\n* Any physical attempts against RubyGems.org property or data centers\n\n# Receiving Security Updates\n\nThe best way to receive all the security announcements is to subscribe to the [rubygems-developers mailing list](https://groups.google.com/forum/#!forum/rubygems-developers).\n\nNo one outside the core team or the initial reporter will be notified prior to the lifting of the embargo. We regret that we cannot make exceptions to this policy for high traffic or important sites, as any disclosure beyond the minimum required to coordinate a fix could cause an early leak of the vulnerability.\n\n# Internet Bug Bounty Qualification\nFor bounty rewards, only the [rubygems library](https://github.com/rubygems/rubygems) is in scope. Also, only critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically **Arbitrary Code Execution** or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope for the bounty at this time.\n\n| Impact | Amount |\n| --- | --- |\n| **High** *Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved.* | $1,500+ |\n| **Medium** *Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register).* | $1,000 |\n| **Minimum** *Demonstrate the presence of a security bug with probable remote exploitation potential.* | $500 |\n\nThe project maintainers have final decision on which issues constitute security vulnerabilities. The [Internet Bug Bounty Panel](https://internetbugbounty.org/#the-panel) will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.\n\n# Comments on this Policy\n\nIf you have any suggestions to improve this policy, please send an email to security@rubygems.org.\n\nThank you for helping keep RubyGems and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2016-09-06T19:19:44.691Z"}]