Security standards and practices
Rails LTS is a service of, a team of Ruby developers and Linux system engineers based in Germany. We have more than 10 years of experience developing and operating web applications, and have always taken security very seriously.
This is a brief overview of how we handle Rails security issues for LTS, and how we operate the service:
Rails LTS primarily fixes security vulnerabilities after they have been publicly disclosed for the official release of Ruby on Rails. After an official advisory is published, multiple Rails security experts at makandra will determine which Rails LTS versions are vulnerable, and develop appropriate patches for all affected versions. Patches are validated, and always reviewed by more than one person. There are unit
tests in place for all versions of Rails LTS as well as integration tests using some of our own applications to make sure there are no regressions.
In some cases, security researches have reported issues to us that only affect older Rails versions, which have been fixed for Rails LTS. We operate afor critical vulnerabilities that do not apply to officially maintained Ruby on Rails releases.
Access to the Rails LTS repository and infrastructure is restricted to a small subset of senior employees at makandra, secured by appropriate authentication mechanisms.
The Rails LTS gem server is hosted in an access controlled data center in Cologne operated by. The gem server is frequently patched and kept secured by our .
Security plays an important role at makandra, in regards to the software and services we run, as well as to our workflows and practices. We are trusted by big German companies, our customers include names such as Audi, Volkswagen, Siemens, and Deutsche Bahn.
makandra has passed a independent audit and is certified according to, an information security standard of the European automotive industry.