Service level agreement

All our paid plans guarantee swift response to vulnerabilities that have been disclosed on the Rails security list.

Highest-priority issues

This includes vulnerabilities that can be used to devastating effect, or are easy to exploit on a wide range of applications. Examples of this issue class are SQL injection or remote code execution.

We will begin investigating high-priority issues within 24 hours of disclosure and will produce a new release of Rails LTS as soon as commercially feasible.

Low-priority issues

This includes issues that are extremely difficult to exploit, or can only be exploited given very uncommon configurations.

Patches for low-priority issues will be produced beginning on the first business day after disclosure.

How we classify issues

Whether or not an issue qualifies as a "highest-priority issue" will be decided by us (makandra GmbH) on a case-by-case basis. We are very conservative in our judgement and prefer to err on the side of caution.

For some context, in the first year of Rails LTS our reaction times were consistently below 24 hours:

Advisory Time until Rails LTS patch
CVE-2013-4491 16.5 hours
CVE-2013-6414 16.5 hours
CVE-2013-6415 16.5 hours
CVE-2013-6416 16.5 hours
CVE-2013-6417 16.5 hours
CVE-2014-0080 16.0 hours
CVE-2014-0081 16.0 hours
CVE-2014-0082 16.0 hours
CVE-2014-0130 20.0 hours
CVE-2014-3482 22.5 hours
CVE-2014-3483 22.5 hours
OK
Rails LTS is a service provided by makandra GmbH.
Rails LTS is not affiliated with the Rails core team or Basecamp.