mirror of
https://github.com/meteor/meteor.git
synced 2026-05-02 03:01:46 -04:00
44 lines
1.5 KiB
Markdown
44 lines
1.5 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
| Version | Support Status
|
|
| ------- | --------------
|
|
| 2.x.y | ✅ all security issues
|
|
| 1.12.x | 🚧 only critical security issues
|
|
| <= 1.11.x | ❌ no longer supportted
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
Report security bugs to security@meteor.com.
|
|
|
|
Your report will be acknowledged within 2 work days, and you'll receive a more
|
|
detailed response to your report within 6 work days indicating the next steps in
|
|
handling your submission.
|
|
|
|
After the initial reply to your report, the security team will endeavor to keep
|
|
you informed of the progress being made towards a fix and full announcement,
|
|
and may ask for additional information or guidance surrounding the reported
|
|
issue.
|
|
|
|
We don't have any bounty program.
|
|
|
|
## Reporting a security bug in a third party module
|
|
|
|
Security bugs in third party modules should be reported to their respective
|
|
maintainers.
|
|
|
|
Thank you for improving the security of Meteor and its ecosystem. Your efforts
|
|
and responsible disclosure are greatly appreciated and will be acknowledged.
|
|
|
|
## Disclosure policy
|
|
|
|
Here is the security disclosure policy for Meteor
|
|
|
|
* The security report is received and is assigned a primary handler. This
|
|
person will coordinate the fix and release process. The problem is confirmed
|
|
and a list of all affected versions is determined. Code is audited to find
|
|
any potential similar problems. Fixes are prepared for all releases which are
|
|
still under maintenance. These fixes are not committed to the public
|
|
repository but rather held locally pending the announcement.
|