fleet/SECURITY.md

# Security Policy

## Reporting a Vulnerability

Please report any vulnerabilities discovered in Fleet products to security **at** fleetdm.com.

Fleet endeavors to acknowledge and fix any reported vulnerabilities ASAP. Acknowledgement is typically within 1 business day, and patches usually go out within 5 business days (depending on severity and timing).

### PGP Key

To encrypt vulnerability reports before sending them, please use this [PGP key](https://keys.openpgp.org/vks/v1/by-fingerprint/23A19D1F16D7184657D16D67320DB57DE4F0EE8F). 

The fingerprint of the key is `23A1 9D1F 16D7 1846 57D1  6D67 320D B57D E4F0 EE8F`.

### Vulnerability tracking

GitHub issues concerning vulnerabilities will be tagged with the **security** label to differentiate them from other issues and maintain SOC2 compliance.  

See [security/README.md](./security/README.md) for more information on our process to keep Fleet products secure.

### Compatibility

Fleet reserves the right to make breaking changes for security. Security fixes may introduce backward-incompatible changes and may be released in minor or patch versions.
-												Create SECURITY.md (#146)


											
										
										
											2020-12-22 16:26:39 +00:00
+								# Security Policy
 								## Reporting a Vulnerability
-												Editing security policy (#5333)

Security disclosure should not go to the main contact form.
											
										
										
											2022-05-06 01:29:06 +00:00
+								Please report any vulnerabilities discovered in Fleet products to security **at** fleetdm.com.
-												Create SECURITY.md (#146)


											
										
										
											2020-12-22 16:26:39 +00:00
 								Fleet endeavors to acknowledge and fix any reported vulnerabilities ASAP. Acknowledgement is typically within 1 business day, and patches usually go out within 5 business days (depending on severity and timing).
-												Adding PGP Key (#3961)

For vulnerability submissions.
											
										
										
											2022-02-01 15:48:00 +00:00
 								### PGP Key
 								To encrypt vulnerability reports before sending them, please use this [PGP key](https://keys.openpgp.org/vks/v1/by-fingerprint/23A19D1F16D7184657D16D67320DB57DE4F0EE8F).
 								The fingerprint of the key is `23A1 9D1F 16D7 1846 57D1  6D67 320D B57D E4F0 EE8F`.
-												Update SECURITY.md (#17951)

Added note about the security label for SOC2 compliance.

Co-authored-by: Joanne Stableford <59930035+JoStableford@users.noreply.github.com>
											
										
										
											2024-05-17 16:00:31 +00:00
 								### Vulnerability tracking
-												Add scanning to released images and process to track vulnerabilities (#28087)

For #25902.

---------

Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
											
										
										
											2025-04-16 14:50:10 +00:00
-												Update SECURITY.md (#17951)

Added note about the security label for SOC2 compliance.

Co-authored-by: Joanne Stableford <59930035+JoStableford@users.noreply.github.com>
											
										
										
											2024-05-17 16:00:31 +00:00
+								GitHub issues concerning vulnerabilities will be tagged with the **security** label to differentiate them from other issues and maintain SOC2 compliance.
-												Add scanning to released images and process to track vulnerabilities (#28087)

For #25902.

---------

Co-authored-by: Sharon Katz <121527325+sharon-fdm@users.noreply.github.com>
											
										
										
											2025-04-16 14:50:10 +00:00
-												Add note about compatibility to security policy (#40555)

Add language clarifying that Fleet may occasionally break semver
conventions when addressing security issues.
											
										
										
											2026-02-27 15:28:54 +00:00
+								See [security/README.md](./security/README.md) for more information on our process to keep Fleet products secure.
 								### Compatibility
 								Fleet reserves the right to make breaking changes for security. Security fixes may introduce backward-incompatible changes and may be released in minor or patch versions.