Found a security issue with RubyGems or RubyGems.org? Please follow these steps to report it.
For bounty rewards, only the rubygems library is in scope.
Before continuing, please ensure this is a security issue for the RubyGems client or the RubyGems.org service. For all vulnerabilities with individual gems, follow our guide on reporting security issues __with others' gems. If it's a security issue with the Ruby on Rails framework, see the Rails Security guide __.
For any security bug or issue with the RubyGems client or RubyGems.org service, please let us know here with details about the problem.
Please note: the rubygems-developers mailing list __, the rubygems.org mailing list __, and the #rubygems IRC channel are public areas. If escalating to these places, please do not discuss your issue, simply say that you’re trying to get a hold of someone from the security team. Thanks in advance for responsibly disclosing your security issue.
If you're having trouble pushing a gem, or otherwise need help with your RubyGems.org account, please open a new help issue.
For bugs or other problems with RubyGems.org, please use the RubyGems.org help site to open a new issue __.
RubyGems and RubyGems.org follow a 5 step disclosure process:
This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it’s important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.
While researching, we'd like to ask you to refrain from:
The best way to receive all the security announcements is to subscribe to the rubygems-developers mailing list __.
No one outside the core team or the initial reporter will be notified prior to the lifting of the embargo. We regret that we cannot make exceptions to this policy for high traffic or important sites, as any disclosure beyond the minimum required to coordinate a fix could cause an early leak of the vulnerability.
For bounty rewards, only the rubygems library __is in scope. Also, only critical vulnerabilities that demonstrate complete compromise of the system's integrity or confidentiality are eligible for a bounty - typically Arbitrary Code Execution or equivalent impact. While we encourage you to submit all potential issues, lower severity issues are not in scope for the bounty at this time.
Impact | Amount
High Demonstrate that remote exploitation of this bug can be easily, actively, and reliably achieved. | $1,500+
Medium Demonstrate that remote exploitation of this bug is very likely (e.g. good control a register). | $1,000
Minimum Demonstrate the presence of a security bug with probable remote exploitation potential. | $500
The project maintainers have final decision on which issues constitute security vulnerabilities. The Internet Bug Bounty Panel __will respect their decision, and we ask that you do as well. It's important to keep in mind that not all submissions will qualify for a bounty, and that the decision to award a bounty is entirely at the discretion of the Panel.
If you have any suggestions to improve this policy, please send an email to firstname.lastname@example.org.
Thank you for helping keep RubyGems and our users safe!
|Scope Type||Scope Name|
Malicious or compromised gem
|Scope Type||Scope Name|
This program have been found on Hackerone on 2019-08-08.