Vulnerability Disclosure Policy
Reporting a Vulnerability
If you believe you have found a security vulnerability in FleetMon, we encourage you to report it responsibly. Please contact us at:
- Email: security@rindipk.se
Please include as much detail as possible to help us understand and reproduce the issue:
- A description of the vulnerability and its potential impact
- Steps to reproduce the issue
- The version of FleetMon affected (if known)
- Any relevant screenshots or logs
What to Expect
| Step | Timeline |
|---|---|
| Acknowledgement of your report | Within 3 business days |
| Initial assessment and triage | Within 10 business days |
| Status update on remediation | Within 30 days |
| Fix deployed or mitigation communicated | Depends on severity |
Scope
This policy covers the FleetMon application, including:
- The FleetMon web application (all routes and endpoints)
- Authentication and session management
- Background task processing
- Docker images distributed for deployment
The following are out of scope:
- Third-party services or infrastructure not operated by us
- Customer-managed database servers
- Denial-of-service (DoS) attacks
- Social engineering attacks
Safe Harbor
We consider security research conducted in accordance with this policy to be authorized. We will not pursue legal action against researchers who:
- Act in good faith to avoid privacy violations, data destruction, and service disruption
- Report vulnerabilities promptly and provide reasonable time for remediation before any disclosure
- Do not access or modify data belonging to other users
- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
Coordinated Disclosure
We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. We aim to resolve critical vulnerabilities as quickly as possible and will coordinate with you on an appropriate disclosure timeline.