In short, I think:

  http://www.ruby-lang.org/en/security/

should do more to emulate:

  http://jruby.org/security

Namely, we don't have a "Disclosure Procedure" section:

> Disclosure Procedure
> 
> The JRuby team will endeavor to follow these steps when handling reported vulnerabilities:
> 
> 1. Work with the reporter to determine the appropriate fix within 24-72 hours of the initial email report.
> 2. Once the fix has been found, wait for an embargo period of 48 hours.
> 3. After the embargo has passed, push out a new software release containing the fix.
> 4. Send email announcement on jruby-user mailing list containing source patch for most recent release.
> 5. Post an announcement on jruby.org and list below.

Can we get something like this added?