If you discover a security vulnerability in Fleet Control Center, do not open a public issue. Security vulnerabilities must be reported privately to allow time for a fix before public disclosure.
Use GitHub Security Advisories to submit a private report. Include the following:
- Description -- A clear explanation of the vulnerability.
- Steps to reproduce -- Detailed instructions to replicate the issue.
- Impact assessment -- What an attacker could achieve by exploiting it.
- Affected versions -- Specific versions, or "all" if unknown.
- Suggested fix -- If you have a proposed remediation.
| Step | Timeframe |
|---|---|
| Acknowledgment of report | Within 48 hours |
| Initial assessment | Within 5 business days |
| Fix development and testing | Depends on severity |
| Security advisory published | At time of fix release |
| Severity | Description | Examples |
|---|---|---|
| Critical | Remote code execution, authentication bypass, data exfiltration | Command injection, session fixation |
| High | Privilege escalation, significant data exposure | RBAC bypass, audit log tampering |
| Medium | Limited impact requiring specific conditions | CSRF, information disclosure |
| Low | Minimal impact, defense-in-depth improvements | Missing headers, verbose errors |
| Version | Supported |
|---|---|
| 0.2.x (current) | Yes |
| 0.1.x | Yes |
For a comprehensive overview of Fleet Control Center's security controls, threat model, and defense-in-depth design, see SECURITY_ARCHITECTURE.md.
Key security features include:
- PBKDF2 password hashing (100K iterations, SHA-512)
- TOTP multi-factor authentication with recovery codes
- HMAC-SHA256 request signing with nonce replay prevention
- Ed25519 digital signatures for receipt chains
- Append-only audit logging with SHA-256 hash chains
- Automatic secret redaction in event payloads
- CSP nonces, rate limiting, and input validation
- Zero external dependencies (no supply chain risk)
When deploying Fleet Control Center, ensure the following:
- Change the default admin password. The server refuses to start in production mode with the default credentials.
- Generate a strong session secret:
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))" - Use HTTPS -- either directly or via a reverse proxy (nginx, Caddy).
- Restrict CORS origins -- set
security.corsOriginsto your specific domain(s). - Use Tailscale -- for encrypted node-to-control-plane communication.
- Enable MFA -- for all admin and operator accounts.
We value the work of the security research community. Reporters will be acknowledged in security advisories unless they prefer to remain anonymous.