Security is a top priority for Smith. As a fleet management system designed for critical environments, we are committed to making Smith a safe and reliable tool. We've open-sourced Smith to increase visibility and enable the community to help identify and address potential security issues.

If you discover a security vulnerability in Smith, please report it by emailing security@teton.ai. Please do not open a public GitHub issue for security vulnerabilities.

• A description of the vulnerability
• Steps to reproduce the issue
• Affected versions
• Any potential impact you've identified

• We will acknowledge your report within 48 hours
• We will provide a detailed response within 7 days
• We will work with you to understand and resolve the issue

We operate a bug bounty program for security researchers who responsibly disclose vulnerabilities. Bounty amounts are determined based on the severity and impact of the reported issue. We have a track record of paying bounties for valid security findings.

We provide security updates for the latest stable release. Please ensure you are running the most recent version of Smith.

When deploying Smith:

• Keep smithd and all components updated to the latest version
• Use secure communication channels (TLS/HTTPS) for API traffic
• Follow the principle of least privilege for deployment credentials
• Regularly review and audit fleet configurations
• Monitor logs for suspicious activity

We appreciate the security research community's efforts. Contributors who report valid security issues will be acknowledged (with permission) in our release notes.