Open
Description
ref. http://bugs.ruby-lang.org/issues/5821
In short, I think:
http://www.ruby-lang.org/en/security/
should do more to emulate:
http://jruby.org/security
Namely, we don't have a "Disclosure Procedure" section:
> Disclosure Procedure
>
> The JRuby team will endeavor to follow these steps when handling reported vulnerabilities:
>
> 1. Work with the reporter to determine the appropriate fix within 24-72 hours of the initial email report.
> 2. Once the fix has been found, wait for an embargo period of 48 hours.
> 3. After the embargo has passed, push out a new software release containing the fix.
> 4. Send email announcement on jruby-user mailing list containing source patch for most recent release.
> 5. Post an announcement on jruby.org and list below.
Can we get something like this added?
It is https://bugs.ruby-lang.org/projects/ruby/wiki/SecurityFixProcess
We don't have time schedule.