Yesterday, we released our Security Incident Report, a comprehensive review of the September AWS root-access event. The report reflects both independent and internal analysis, outlining what occurred, what was verified, and the actions we’ve taken to strengthen our systems and practices.
You can read the full report here → Rubygems.org AWS Root Access Event – September 2025
The findings confirm that this was a procedural lapse in credential management for production hosting after a person was discharged.
Where We Are Now
All RubyGems.org services remain stable, secure, and operational.
The triggering event revealed weaknesses in credential management practices, which we have corrected. All credentials have been rotated and are further protected with MFA.
We’ve also strengthened operational coverage by adding two new maintainers to our on-call rotation to improve resilience and response capacity.
In our efforts to further strengthen operational resilience, we are opening up opportunities for additional community participation in operations through structured volunteer support from trusted individuals and companies. Specifically, through Ruby Central’s Corporate Contributor Stewardship Program, companies commit in-kind engineering time to work with our team on priority maintenance, reliability, and security tasks across RubyGems, Bundler, and RubyGems.org. Ruby Central coordinates onboarding, scope, and review so contributors can plug in quickly and safely. To learn more, reach out to contact@rubycentral.org.
What We’re Hearing
We recognize the strong emotions that continue to surface in community channels. Many community members have expressed frustration, skepticism, and fatigue, along with a shared desire for clarity and accountability.
Recently, partial email communications regarding production access have circulated publicly. To provide the correct context and clarity and to ensure that the community has the full and accurate picture, we will release the full thread of our original communication informing the individual in question that their production access to RubyGems.org was terminated. Any access after that point was strictly unauthorized.
We also acknowledge that this transition period for the paid contractors that operate the service has created uncertainty and concern.
Our intention is to move beyond back-and-forth exchanges, and to continue to restore calm, trust, and stability by being transparent and clear about key facts.
Trust is earned through consistency. Our goal and our responsibility is to match words with visible actions, strengthening security, operating transparently, and inviting dialogue that is grounded in respect and shared purpose.
Why No Live Q&A (Yet)
Several community members have asked why we haven’t held a live Q&A.
During the incident discovery and validation phase, there were many moving parts and active verification steps. A live Q&A at that time would have risked spreading incomplete information and excluded contributors who couldn’t participate in real time.
Additionally, on Friday, September 26, Ruby Central received a cease-and-desist letter from Andre Arko’s lawyer informing us that he claims to own “Bundler” as a trademark and demands that Ruby Central stop using “Bundler,” along with various other demands. Ruby Central disagrees with Arko’s claims, and we have engaged with trademark law counsel to work with Arko’s counsel on this matter. As part of the legal process, we do not expect to make further public comments about the matter until the issues are fully resolved.
Because we are simultaneously addressing a legal matter and responding to a security incident, it has delayed us in rescheduling the Q&A.
We chose an asynchronous format with weekly updates and published Q&A, so questions can be addressed publicly and so that everyone, regardless of location or schedule, can review the same verified information.
A live Q&A may still happen once it can add value without detracting from our mission and focus.
Looking Ahead
In the coming weeks, Ruby Central will:
- Continue implementing security and governance improvements outlined in the post-incident report.
- Publish follow-up progress on Operator and Contributor Agreements.
Our stewardship of RubyGems.org remains secure and continuous. We are deeply grateful for the community’s patience, accountability, and commitment to Ruby’s future.
With respect,
Shan Cureton
Executive Director