I have been reviewing the documentation to determine how the project addresses vulnerabilities discovered in end-of-life (EOL) releases. Specifically whether CVE or GHSA advisories are published and maintained for such cases.
As part of a team responsible for maintaining a Rails application, I would find it helpful if the “Maintenance Policy for Ruby on Rails” page explicitly clarified this. If no formal approach currently exists, this may be a good opportunity to define one.
The maintenance page spells all this out in pretty good detail. They provide 2 years of security fixes. After that it’s no longer supported. The page explicitly says:
When a release series is no longer supported, it’s your own responsibility to deal with bugs and security issues
That being said, there is a 3rd party organization that provides paid support for older releases.
You’re suggesting that the Rails “Maintenance Policy” should clearly state how vulnerabilities in EOL releases are handled whether CVE/GHSA advisories are published or not similar to how Node.js now treats all EOL versions as vulnerable unless proven otherwise.
Maybe I’m not following what you are asking but I’m suggesting the maintenance policy already does state how vulns in EOL releases are handled. It explicitly says it’s unsupported and your responsibility.
It’s making clear that vuln does not affect versions before 5.2 (I’m guessing that was when ActiveStorage was introduced). I’m not sure if every CVE includes that info but many do. Since running EOL is the user’s responsibility then regardless if the info is there are not if you are on an unsupported version you’ll have to examine each CVE and determine if it’s applicable (or pay someone to do that for you).