Security standards and practices
Rails LTS is a service of makandra, a team of Ruby developers and Linux system engineers based in Germany. We have 10 years of experience developing and operating web applications, and have always taken security very seriously.
This is a brief overview of how we handle Rails security issues for LTS, and how we operate the service:
Handling of security issues
Rails LTS primarily fixes security vulnerabilities after they have been publicly disclosed for the official release of Ruby on Rails. After an official advisory is published, multiple Rails security experts at makandra will determine which Rails LTS versions are vulnerable, and develop appropriate patches for all affected versions. Patches are validated, and always reviewed by more than one person. There are unit
tests in place for all versions of Rails LTS as well as integration tests using some of our own applications to make sure there are no regressions.
In some cases, security researches have reported issues to us that only affect older Rails versions, which have been fixed for Rails LTS. We operate a bug bounty program for critical vulnerabilities that do not apply to officially maintained Ruby on Rails releases.
Access to Rails LTS code and infrastructure at makandra
Access to the Rails LTS repository and infrastructure is restricted to a small subset of senior employees at makandra, secured by appropriate authentication mechanisms.
Gem server infrastructure
The Rails LTS gem server is hosted in an access controlled data center in Cologne, operated by plusserver.
Security plays an important role at makandra, in regards to the software and services we run, as well as to our workflows and practices. We are trusted by big German companies, our customers include names such as Audi, Volkswagen, Siemens, and Deutsche Bahn.
makandra has passed a independent audit and is certified according to TISAX, an information security standard of the European automotive industry.