Security vulnerabilities should be reported via an email to security@ruby-lang.org, which is a private mailing list.

DO NOT report them via redmine because redmine publishes the reported problems immediately.

The security team discusses about and fixes the vulnerability as soon as possible.

• Releases a new patch-level release of Ruby, or publishes a patch.
• Sends an email to ruby-talk and ruby-list.
• Posts an article to the news page on www.ruby-lang.org.
  • Adds a link to the article into the security page on www.ruby-lang.org.

The security team consists of some of committers and other security specialists.

Release managers and distributors, who creates and distributes package of Ruby - e.g. a package manager of Ruby in some Linux distribution, should subscribe security@ruby-lang.org.