New features will only be added to the main branch and will not be made available in point releases.
Only the latest release series will receive bug fixes. When enough bugs are fixed and its deemed worthy to release a new gem, this is the branch it happens from.
Only the latest release series will receive patches and new versions in case of a security issue.
For severe security issues we will provide new versions as above, and also the last major release series will receive patches and new versions. The classification of the security issue is judged by the core team.
When a release series is no longer supported, it's your own responsibility to deal with bugs and security issues. If you are not comfortable maintaining your own versions, you should upgrade to a supported version.
Open an issue on the GitHub repository.
We look forward to working with all security researchers and strive to be respectful, always assume the best and treat others as peers. We expect the same in return from all participants. To achieve this, our team strives to:
- Reply to all reports within one business day and triage within two business days (if applicable)
- Be as transparent as possible, answering all inquires about our report decisions and adding hackers to duplicate HackerOne reports
- Award bounties within a week of resolution (excluding extenuating circumstances)
- Only close reports as N/A when the issue reported is included in Known Issues, Ineligible Vulnerabilities Types or lacks evidence of a vulnerability
To receive all general updates to vulnerabilities, please subscribe to shopify's hackerone Hacktivity