Please report any vulnerabilities discovered in Fleet products to security at fleetdm.com.

Fleet endeavors to acknowledge and fix any reported vulnerabilities ASAP. Acknowledgement is typically within 1 business day, and patches usually go out within 5 business days (depending on severity and timing).

To encrypt vulnerability reports before sending them, please use this PGP key.

The fingerprint of the key is 82F2 AF19 547E 462A 4605 D538 01B2 575E 4676 6EBE.

GitHub issues concerning vulnerabilities will be tagged with the security label to differentiate them from other issues and maintain SOC2 compliance.

See security/README.md for more information on our process to keep Fleet products secure.

Fleet reserves the right to make breaking changes for security. Security fixes may introduce backward-incompatible changes and may be released in minor or patch versions.