Skip to content

security disclosure policy #96

Open
@hsbt

Description

@hsbt

ref. http://bugs.ruby-lang.org/issues/5821

In short, I think:

  http://www.ruby-lang.org/en/security/

should do more to emulate:

  http://jruby.org/security

Namely, we don't have a "Disclosure Procedure" section:

> Disclosure Procedure
> 
> The JRuby team will endeavor to follow these steps when handling reported vulnerabilities:
> 
> 1. Work with the reporter to determine the appropriate fix within 24-72 hours of the initial email report.
> 2. Once the fix has been found, wait for an embargo period of 48 hours.
> 3. After the embargo has passed, push out a new software release containing the fix.
> 4. Send email announcement on jruby-user mailing list containing source patch for most recent release.
> 5. Post an announcement on jruby.org and list below.

Can we get something like this added?
It is https://bugs.ruby-lang.org/projects/ruby/wiki/SecurityFixProcess
We don't have time schedule.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions