Please report any vulnerabilities discovered in Fleet products to security at fleetdm.com.
Fleet endeavors to acknowledge and fix any reported vulnerabilities ASAP. Acknowledgement is typically within 1 business day, and patches usually go out within 5 business days (depending on severity and timing).
To encrypt vulnerability reports before sending them, please use this PGP key.
The fingerprint of the key is 23A1 9D1F 16D7 1846 57D1  6D67 320D B57D E4F0 EE8F.
GitHub issues concerning vulnerabilities will be tagged with the security label to differentiate them from other issues and maintain SOC2 compliance.
See security/README.md for more information on our process to keep Fleet products secure.