In short, I think:

  http://www.ruby-lang.org/en/security/

should do more to emulate:

  http://jruby.org/security

Namely, we don't have a "Disclosure Procedure" section:

> Disclosure Procedure
>=20
> The JRuby team will endeavor to follow these steps when handling =
reported vulnerabilities:
>=20
> 1. Work with the reporter to determine the appropriate fix within =
24-72 hours of the initial email report.
> 2. Once the fix has been found, wait for an embargo period of 48 =
hours.
> 3. After the embargo has passed, push out a new software release =
containing the fix.
> 4. Send email announcement on jruby-user mailing list containing =
source patch for most recent release.
> 5. Post an announcement on jruby.org and list below.

Can we get something like this added?