Reporting a vulnerability

If you have discovered a security vulnerability in Ruby on Rails, first verify whether it affects a currently supported version of Ruby on Rails as outlined in the official security policy. If it does, or if you're unsure, or if it impacts a version that has only recently reached its end of maintenance, please do not report it to us. Instead, report it directly to the Ruby on Rails team.

If you have found an issue that specifically affects one of the Rails LTS versions, please report it to us via email at railslts-security@makandra.de. We offer a bug bounty program for such reports, which is similar to the official Rails program.

We pay bounties ranging from 1,300€ to €1,800€ depending on the severity of the vulnerability. To be eligible, a report must clearly demonstrate a critical vulnerability that:

• Completely compromises a system's integrity or confidentiality (e.g., arbitrary code execution, universal SQL injection, or similar).
• Does not affect currently supported official Ruby on Rails releases (as per the official security policy).
• Has not been previously disclosed or resolved in an official Ruby on Rails release.

Eligibility and the bounty amount are determined solely by makandra GmbH.

We also encourage you to report less critical vulnerabilities, even if they are not eligible for a bounty. We will credit you upon disclosure.