Program scope

We appreciate reports that can help us improve our security posture. Please review the following details carefully before submitting your findings.

In-scope assets

• Source code: https://github.com/fleetdm/fleet
• API docs: https://fleetdm.com/docs/rest-api/rest-api

Out-of-scope assets

• Any services hosted by third parties, unless they impact the security of our primary assets.
• Marketing pages (e.g., blog, landing pages).
• Physical offices and infrastructure.
• Employee social media accounts.

Vulnerabilities We're Interested In

• Cross-Site Scripting (XSS)
• SQL Injection
• Authentication bypass
• Privilege escalation
• Misconfigured access controls
• Remote Code Execution (RCE)
• Security misconfigurations
• Server-side request forgery (SSRF)

Vulnerabilities Out-of-Scope

• Issues solely affecting outdated browsers
• Missing HTTP security headers (unless they lead to a proven vulnerability)
• Vulnerabilities requiring physical access
• Self-XSS requiring significant user interaction
• Reports from automated tools without clear evidence of impact
• Theoretical vulnerabilities without proof of exploitation

Rewards

We offer bounties based on the severity and impact of the vulnerability:

• Critical: Full system compromise or large-scale breach
  E.g. Remote Code Execution (RCE), database access, admin interfac access
• High: Access to sensitive data or elevated privileges without full compromise
  E.g. Privilege escalation, significant data exposure, authentication bypass
• Medium: Abuses that require some user interaction or unusual conditions
  E.g.: Cross-Site Scripting (XSS), CSRF, minor API issues
• Low: Minor misconfigurations or information disclosure
  E.g.: Information disclosure without direct impact, missing security headers

Note: Reports without clear security implications or that require unrealistic attack scenarios will not be rewarded.

Submission Guidelines

• Provide clear, step-by-step instructions to reproduce the vulnerability
• Include screenshots, videos, or code snippets where possible
• Test only on your own accounts; do not access others' data
• Describe the potential impact and attack scenario
• Be respectful of our users' privacy and our systems' stability

Rate Limits & Testing Constraints

• Limit requests to no more than 10 requests per minute
• Avoid testing that triggers excessive emails or notifications (max 5 per hour)
• Limit login/authentication attempts to 10 per hour
• Avoid any testing that could impact system availability or other users

Our Commitment

• We will acknowledge your report within 5 business days
• A resolution or update will be provided within 10 business days
• We will keep you informed about the status of your report
• We will recognize your contribution if you wish to be acknowledged

Discretion

All vulnerability severity ratings and eligibility for rewards are determined at Fleet’s sole discretion. Severity assessments are based on our evaluation of real-world impact, exploitability, and risk to our customers.

Submission of a report does not guarantee a reward, and Fleet reserves the right to modify or decline rewards at any time.