Merge branch 'devel' into react-fast-refresh-ie-fix

SECURITY.md

@@ -0,0 +1,43 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 2.x.y   | ✅ |
+| 1.12.x   | 🚧 |
+| < 1.11.x   | ❌                |
+
+## Reporting a Vulnerability
+
+Report security bugs to security@meteor.com.
+
+Your report will be acknowledged within 2 work days, and you'll receive a more
+detailed response to your report within 6 work days indicating the next steps in
+handling your submission.
+
+After the initial reply to your report, the security team will endeavor to keep
+you informed of the progress being made towards a fix and full announcement,
+and may ask for additional information or guidance surrounding the reported
+issue.
+
+We don't have any bounty program. 
+
+## Reporting a security bug in a third party module
+
+Security bugs in third party modules should be reported to their respective
+maintainers.
+
+Thank you for improving the security of Meteor and its ecosystem. Your efforts
+and responsible disclosure are greatly appreciated and will be acknowledged.
+
+## Disclosure policy
+
+Here is the security disclosure policy for Meteor
+
+* The security report is received and is assigned a primary handler. This
+  person will coordinate the fix and release process. The problem is confirmed
+  and a list of all affected versions is determined. Code is audited to find
+  any potential similar problems. Fixes are prepared for all releases which are
+  still under maintenance. These fixes are not committed to the public
+  repository but rather held locally pending the announcement.