SECURITY.md
# Security Policy
## Supported Versions
| Version | Support Status
| ------- | --------------
| 2.x.y | ✅ all security issues
| <= 1.12.x | ❌ no longer supported
## Reporting a Vulnerability
Report security bugs to security@meteor.com.
Your report will be acknowledged within 2 work days, and you'll receive a more
detailed response to your report within 6 work days indicating the next steps in
handling your submission.
After the initial reply to your report, the security team will endeavor to keep
you informed of the progress being made towards a fix and full announcement,
and may ask for additional information or guidance surrounding the reported
issue.
We don't have any bounty program.
## Reporting a security bug in a third party module
Security bugs in third party modules should be reported to their respective
maintainers.
Thank you for improving the security of Meteor and its ecosystem. Your efforts
and responsible disclosure are greatly appreciated and will be acknowledged.
## Disclosure policy
Here is the security disclosure policy for Meteor
* The security report is received and is assigned a primary handler. This
person will coordinate the fix and release process. The problem is confirmed
and a list of all affected versions is determined. Code is audited to find
any potential similar problems. Fixes are prepared for all releases which are
still under maintenance. These fixes are not committed to the public
repository but rather held locally pending the announcement.