1. 5

  2. 8

    Certificate appears to have expired ~3 months ago.

    If anyone is involved with mruby, or knows folks who are, perhaps you could let them know.

    1. 1

      I happen to know the person behind mruby.sh. Done, thanks :). (Person reacted, will probably be fixed soonish)

    2. 2

      The issues with mruby have been to use it as a sandbox itself. While some language like Lua (or JavaScript) has been made to be embeddable and expect to run arbitrary scripts, most application language implementation such as mruby, CRuby, CPython, etc. are not. The fix is simply to sandbox the process and not the script. By using seccomp, code execution in mruby doesn’t lead anywhere, so it makes sense for Shpoify to reduce the bounty at 10% of its original price (And that’s still a generous amount for useless bugs). I’m glad to be one of the early participant of the bounty, there was a lot of low hanging fruit to exploit :)