Reporting vulnerabilities

If you have found a security vulnerability in Ruby on Rails, you should check if it affects a currently supported version of Ruby on Rails as specified by the official security policy. If it does, or you think it might, or if it affects a version that has only very recently left maintenance, please do not report it to us, but report it to the Ruby on Rails team instead.

If you have found an issue that only affects one of the Rails LTS versions, please report it to us via e-mail to For such reports we maintain a bug bounty program that roughly matches the program for the official Rails release.

Specifically, we will pay bounties of €1,300 - €1,800 depending on the severity of the vulnerability. To be eligible, a report must clearly demonstrate a critical vulnerability that

  • completely compromises a system's integrity or confidentiality (arbitrary code execution, universal SQL injection, or something of similar impact)
  • does not affect currently supported official Ruby on Rails releases (as determined by the official security policy)
  • was not already disclosed or resolved in an official Ruby on Rails release

Eligibility and bounty amount is solely determined by makandra GmbH.

We also encourage you to report less critical vulnerabilities that are not eligible for a bounty and will credit you upon disclosure.

Rails LTS is a service provided by makandra GmbH.
Rails LTS is not affiliated with the Rails core team or Basecamp.
This website uses cookies to improve usability.
Accept or learn more