Why did it take so long for this XSS vulnerability to be fixed?

Summary: Developer found a bug in escape_javascript related to ES6 “template literals” aka backtick-strings and reported it through HackerOne. It took over a year for a patch to be released.

Full post here

Rails on HackerOne (the report referenced here shows as awarded but still not officially disclosed)

I am curious who’s paying for the HackerOne bounties, and would like to say THANK YOU to whoever that is!