We take the security of our community very seriously and investigate all security reports in a timely manner. Researchers or users may occasionally encounter vulnerabilities on Meetup. Below is a guide to reporting vulnerabilities.
Guidelines
- Let us know about issues you spot including:
- OWASP Top Ten web, mobile, or API vulnerabilities
- Authentication or authorization bypasses
- Misconfigured servers or infrastructure errors
- Endpoints that are vulnerable or expose internal resources, incorrect or excessive information
- Privilege escalation or arbitrary code execution, however caused
- Control flow, routing, or other logic errors
- Don't impersonate users, or otherwise conceal your identity from us (for example, by using another person’s user ID, IP address, user agent, mobile device identifiers, or another device). Use your own account or test account(s) and never test with other community members’ accounts or identifying information without their consent.
- Don't use social engineering techniques (phishing, vishing, etc.)
- Don't do anything that might degrade the availability of services or data to other users in any way, such as brute force attacks, (distributed) denial-of-service attacks, or potentially resource-intensive scripts.
- Don't access or delete other users' or company data, or interact with your own account in a way that could affect others. If you encounter another user’s data, let Meetup know where and how, do not send the data to Meetup, and immediately delete any data you may have accessed.
- Don't test more than necessary once you think you've spotted something.
- Reports that are simply the output of common scanning tools, best practices, version numbers, or otherwise lacking explanation of relevance or likelihood/severity are unlikely to receive acknowledgement or consideration
- If you find a vulnerability in an open source library we're using, please also consider sharing your report with the maintainers.
How to submit
Please send your findings to security@meetup.com, along with any screenshots or steps that might help us reproduce or evaluate the issue.
What happens after I submit my report?
We will classify previously unreported issues and make a good faith effort to acknowledge your report. We cannot guarantee that we will provide details on our prioritization or resolution of the issues identified in a report.
Safe Harbor
If you fully comply with this policy and conduct your research and reporting activities in a good-faith manner, we will not initiate legal action or a law enforcement investigation against you. If legal action is initiated by a third party against you in connection with your research and reporting activities and you have fully complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
Bug Bounty
We will publicly thank the first reporter for previously unreported, responsibly disclosed issues that we deem to be a risk to our community. We may consider a reward for significant reports on a case-by-case basis.