Plans & Pricing
Stay on your current Rails version – Continue receiving security updates for as long as you need them.
Free Rails 2.3 LTS community edition
In addition to our commercial plans, we offer a free community edition. The community edition provides security patches for Rails 2.3, but with some limitations:
- Patches are made available 10 days after their release to paid subscribers.
- Only supports Rails 2.3.
- Gems cannot be retrieved from a Rubygems server; they must be pulled from a Git repository instead.
Frequently asked questions
A monolithic Rails app counts as a single application, regardless of on how many servers it runs, how many (sub-)domains it serves, or if there are staging or test environments. If instead of a monolithic app, multiple Rails apps are used in a service architecture, but look like a single service or product to the outside world, they still count as a single application.
Apps with different codebases powering separate services or products count as separate applications.
Agencies
An agency maintaining applications for several clients can use a single Rails LTS license, as long as the application limit is not exceeded.
If a client also has its own developers working on the application, a separate license is required.
Rails LTS is normally only ordered through our website and paid by credit card.
Some customers have additional requirements for procurement, such as
- payment by bank transfer,
- annual purchase orders,
- annual statements of work,
- invoices submitted on a procurement platform,
- etc.
We support this (up to a reasonable level), but only for Standard or Enterprise plans.
Bank transfer is only available for annual payments.
When ordering you can select “bank transfer” as a payment method. If you cannot order directly through this website for other reasons, contact us instead.
Subscribers to the Enterprise plan will receive special support to ensure the successful integration of Rails LTS with complex Rails application setups.
In the past we have helped Enterprise customers with issues such as:
- Use of Rails LTS with local gem mirrors
- Issues with legacy versions of Rubygems or Bundler
- Issues with conflicting gem dependencies or monkey patches
- Support for large-scale deployments
We will assist your engineering team using e-mail, Google Hangouts, or similar tools.
Plans and Pricing Service Level Agreement
All our paid plans guarantee swift response to vulnerabilities that have been disclosed on the Rails security list.
Highest-priority issues
This includes vulnerabilities that can be used to devastating effect, or are easy to exploit on a wide range of applications. Examples of this issue class are SQL injection or remote code execution.
We will begin investigating high-priority issues within 24 hours of disclosure and will produce a new release of Rails LTS as soon as commercially feasible.
Low-priority issues
This includes issues that are extremely difficult to exploit, or can only be exploited given very uncommon configurations.
Patches for low-priority issues will be produced beginning on the first business day after disclosure.
How we classify issues
Whether or not an issue qualifies as a "highest-priority issue" will be decided by us (makandra GmbH) on a case-by-case basis. We are very conservative in our judgement and prefer to err on the side of caution.
For some context, in the first year of Rails LTS our reaction times were consistently below 24 hours:
| Advisory | Time until Rails LTS patch |
|---|---|
| CVE-2013-4491 | 16.5 hours |
| CVE-2013-6414 | 16.5 hours |
| CVE-2013-6415 | 16.5 hours |
| CVE-2013-6416 | 16.5 hours |
| CVE-2013-6417 | 16.5 hours |
| CVE-2014-0080 | 16.0 hours |
| CVE-2014-0081 | 16.0 hours |
| CVE-2014-0082 | 16.0 hours |
| CVE-2014-0130 | 20.0 hours |
| CVE-2014-3482 | 22.5 hours |
| CVE-2014-3483 | 22.5 hours |