Please send an email to firstname.lastname@example.org when you think you have found a security vulnerability in JRuby or one of its associated libraries (such as the jruby- openssl gem). We will do our best to respond to you within 72 hours and work with you to fix and properly disclose the nature of the vulnerability. Please note that email@example.com is a private email address and email sent to it will not result in public disclosure.
The JRuby team will endeavor to follow these steps when handling reported vulnerabilities:
Recommended upgrade. Potential for DOS attacks with specially crafted large hash/parameter lists. See the announcement for details.
Recommended upgrade. Potential for XSS attacks on prior versions of JRuby. See the announcement for details.
Recommended upgrade. Affects some applications that use OpenSSL::SSL::VERIFY_PEER mode and jruby-openssl 0.5.2 or earlier. See the announcement for details.