All our paid plans guarantee swift response to vulnerabilities that have been disclosed on the Rails security list.
This includes vulnerabilities that can be used to devastating effect, or are easy to exploit on a wide range of applications. Examples of this issue class are SQL injection or remote code execution.
We will begin investigating high-priority issues within 24 hours of disclosure and will produce a new release of Rails LTS as soon as commercially feasible.
This includes issues that are extremely difficult to exploit, or can only be exploited given very uncommon configurations.
Patches for low-priority issues will be produced beginning on the first business day after disclosure.
Whether or not an issue qualifies as a "highest-priority issue" will be decided by us (makandra GmbH) on a case-by-case basis. We are very conservative in our judgement and prefer to err on the side of caution.
For some context, in the first year of Rails LTS our reaction times were consistently below 24 hours:
| Advisory | Time until Rails LTS patch |
|---|---|
| CVE-2013-4491 | 16.5 hours |
| CVE-2013-6414 | 16.5 hours |
| CVE-2013-6415 | 16.5 hours |
| CVE-2013-6416 | 16.5 hours |
| CVE-2013-6417 | 16.5 hours |
| CVE-2014-0080 | 16.0 hours |
| CVE-2014-0081 | 16.0 hours |
| CVE-2014-0082 | 16.0 hours |
| CVE-2014-0130 | 20.0 hours |
| CVE-2014-3482 | 22.5 hours |
| CVE-2014-3483 | 22.5 hours |