# Security Policy

## Reporting a Vulnerability

Please report any vulnerabilities discovered in Fleet products to security **at** fleetdm.com.

Fleet endeavors to acknowledge and fix any reported vulnerabilities ASAP. Acknowledgement is typically within 1 business day, and patches usually go out within 5 business days (depending on severity and timing).

### PGP Key

To encrypt vulnerability reports before sending them, please use this [PGP key](https://keys.openpgp.org/vks/v1/by-fingerprint/82F2AF19547E462A4605D53801B2575E46766EBE).

The fingerprint of the key is `82F2 AF19 547E 462A 4605  D538 01B2 575E 4676 6EBE`.

### Vulnerability tracking

GitHub issues concerning vulnerabilities will be tagged with the **security** label to differentiate them from other issues and maintain SOC2 compliance.  

See [security/README.md](./security/README.md) for more information on our process to keep Fleet products secure.

### Compatibility

Fleet reserves the right to make breaking changes for security. Security fixes may introduce backward-incompatible changes and may be released in minor or patch versions.