Found a security issue with RubyGems or RubyGems.org? Please follow these steps to report it.
Before continuing, please ensure this is a security issue for the RubyGems client or the RubyGems.org service. For all vulnerabilities with individual gems, follow our guide on reporting security issues with others' gems. If it's a security issue with the Ruby on Rails framework, see the Rails Security guide.
For any security bug or issue with the RubyGems client or RubyGems.org service, please email email@example.com with details about the problem or submit a report using HackerOne. The RubyGems client library is in scope for bounty reward. You can read the details of the bounty program on the RubyGems HackerOne page.
Please note: the rubygems-developers mailing list, the rubygems.org mailing list, and the #rubygems IRC channel are public areas. If escalating to these places, please do not discuss your issue, simply say that you’re trying to get a hold of someone from the security team. Thanks in advance for responsibly disclosing your security issue.
If you're having trouble pushing a gem, or otherwise need help with your RubyGems.org account, please open a new help issue.
For bugs or other problems with RubyGems.org, please use the RubyGems.org issue tracker to open a new issue.
RubyGems and RubyGems.org follow a 5 step disclosure policy:
This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.
The best way to receive all the security announcements is to subscribe to the rubygems-developers mailing list.
No one outside the core team or the initial reporter will be notified prior to the lifting of the embargo. We regret that we cannot make exceptions to this policy for high traffic or important sites, as any disclosure beyond the minimum required to coordinate a fix could cause an early leak of the vulnerability.