Report security bugs to security@meteor.com.

Your report will be acknowledged within 2 work days, and you'll receive a more detailed response to your report within 6 work days indicating the next steps in handling your submission.

After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement, and may ask for additional information or guidance surrounding the reported issue.

We don't have any bounty program.

Security bugs in third party modules should be reported to their respective maintainers.

Thank you for improving the security of Meteor and its ecosystem. Your efforts and responsible disclosure are greatly appreciated and will be acknowledged.

Here is the security disclosure policy for Meteor

• The security report is received and is assigned a primary handler. This person will coordinate the fix and release process. The problem is confirmed and a list of all affected versions is determined. Code is audited to find any potential similar problems. Fixes are prepared for all releases which are still under maintenance. These fixes are not committed to the public repository but rather held locally pending the announcement.