Rails is used to power some of the most important sites on the web and its increasing popularity has made it a critical piece of internet infrastructure. If you've found a security bug that could potentially impact the security of these sites, you have our thanks and might be eligible for a cash reward.

Bounty Qualification

==========

The Internet Bug Bounty awards security research on Ruby on Rails. If your vulnerability meets the eligibility criteria, you can submit the post-fix information to the IBB for payout. As the IBB supports the whole vulnerability lifecycle, these bounty awards are awarded as an 80/20 split, where 80% will go to you, the finder, and 20% will be given to Ruby on Rails to continue to support the vulnerability remediation efforts.

To submit eligible vulnerabilities for a payout go to https://hackerone.com/ibb for submission instructions after the project maintainers have resolved the vulnerability.

The project maintainers have final decision on which issues constitute security vulnerabilities. The IBB team will respect their decision, and we ask that you do as well.

$500 Bonus for a Valid Patch

If your report includes a correctly formatted patch for the issue you've uncovered, you may be eligible for a $500 bonus when the report is accepted and resolved.

Please note that your patch will also need to be considered an acceptable solution by the project maintainers.

Patch eligibility requirements are as follows:

• Patch file created with git format-patch or equivalent format.

• Includes a solution for all relevant supported Rails versions. Details on supported versions available here.

• Includes regression tests for the reported issue.

• Patch is accepted and adopted by project maintainers

Patches risk being ineligible if any of the stated requirements are not met.

You can learn more about how to contribute to Ruby on Rails here.

Safe Harbor

Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.