“Furthermore Ruby is a complicated language which makes every Ruby implementation complex and likely to contain bugs.”
So for anyone who didn’t click the link: mruby is a minimal ruby VM and bytecode compiler, and Shopify uses it to provide flexibility to their customers. To feel more confident about the security, they put up a security issue bounty, and they got more reports than they had ever expected, to a total of half a million dollars, and the program is still ongoing.
I think it’s really awesome to see a company put this level of resources into a free software product that they are using, plus that they are also sharing a derived solution (mbed as a sandbox inside Ruby) they made for their own use.
As for mbed, at least they seem to be taking it seriously, and have realized that bug fixes should come with regression tests and that maybe they would benefit from implementing more of the product in Ruby itself. With all the RIIR hubbub making the rounds lately, it’s both comic and encouraging to see that they are considering rewriting parts in Rust. The article doesn’t show what type of bugs they had though, whether it was buffer overflows, double-frees and other things that Rust might actually remedy, or if it was things that might more accurately be called algorithmic or low-level design flaws.