The current release series and the next most recent one (by major-minor version) will receive patches and new versions in case of a security issue.

When a release series is no longer supported, it’s your own responsibility to deal with bugs and security issues. If you are not comfortable maintaining your own versions, you should upgrade to a supported version.

If you believe you have found a security issue in this project, please do not open a public issue. Instead, please use the "Report a Vulnerability" button at the top of this page (or on the relevant GitHub repository page) to report the issue privately.

1. Security report is received and reviewed by the Rack maintainers.
2. The problem is confirmed and a list of all affected versions is determined. Code is audited to find any potential similar problems.
3. Fixes are prepared for all releases which are still supported.
4. Patches are released, new gem versions are published to RubyGems, and security advisories are published.

In cases where coordination with other projects or distributions is necessary, we may implement an embargo period before public disclosure. However, for most security issues, we aim to release fixes and advisories as quickly as possible.