If you have found a security vulnerability in Ruby on Rails, you should check if it affects a currently supported version of Ruby on Rails as specified by the official security policy. If it does, or you think it might, or if it affects a version that has only very recently left maintenance, please do not report it to us, but report it to the Ruby on Rails team instead.
If you have found an issue that only affects one of the Rails LTS versions, please report it to us via e-mail to firstname.lastname@example.org. For such reports we maintain a bug bounty program that roughly matches the program for the official Rails release.
Specifically, we will pay bounties of €1,300 - €1,800 depending on the severity of the vulnerability. To be eligible, a report must clearly demonstrate a critical vulnerability that
Eligibility and bounty amount is solely determined by makandra GmbH.
We also encourage you to report less critical vulnerabilities that are not eligible for a bounty and will credit you upon disclosure.