Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Multi platform
Device management   (+ MDM) Orchestration   (+ monitoring) Software management   (+ CVEs) Integrations

Docs
Stories
What people are saying News Ask around Meetups COMPANY
Origins   (Fleet & osquery) The handbook Logos & artwork Why open source?

Pricing Take a tour
Multi platform
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, app library Integrations
Docs
Stories
What people are saying News Ask around Take a tour Meetups COMPANY Origins   (Fleet & osquery) The handbook Logos/artwork Why open source?
Pricing Try it yourself
{{categoryFriendlyName}}/
{{thisPage.meta.articleTitle}}
search

Security testing at Fleet/Orbit auto-updater audit

{{articleSubtitle}}

| The author's GitHub profile picture

Guillaume Ross

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter

On this page

{{topic.title}}
Docs Docs REST API REST API Guides Guides Talk to an engineer Talk to an engineer
Suggest an editSuggest an edit

Try it out

See what Fleet can do

Start now
macOS Windows Linux

Security testing at Fleet/Orbit auto-updater audit

{{articleSubtitle}}

| The author's GitHub profile picture

Guillaume Ross

Security testing at Fleet/Orbit auto-updater audit

Security testing at Fleet/Orbit auto-updater audit

At Fleet, openness is one of our core values. We believe a rising tide lifts all boats and that almost everything we do regarding security should be public.

Orbit is an osquery runtime and auto-updater. It leverages The Update Framework to create a secure update mechanism using a hierarchy of cryptographic keys and operations.

About a year ago, while Orbit was still brand new, not “production-ready,” and in use by almost nobody, we had an external vendor (Trail of Bits) perform a security audit on the Orbit auto-updater functionality.

We then handled the issues surfaced by the audit publicly in the Fleet repository and the old Orbit repository.

You can read more about the 2021 Orbit auto-updater security audit here.

Testing in the future

Fleet will regularly perform security tests. These tests will target Fleet, Orbit, our company, and many other components.

We will:

  1. Resolve issues that expose Fleet users to risk.
  2. Share the results of tests as rapidly as possible once we have addressed issues.
  3. Comment when necessary and valuable.

If external testers find significant vulnerabilities, we will generate GitHub security advisories on a case-by-case basis. We can share important information about vulnerabilities before releasing the full report.

Auto-updater security

We believe the security of auto-updates is critical in a world where supply chain attacks are common. When automatic updaters are trusted, systems receive essential security updates quicker. It is up to the software industry to make these updates trustworthy so everyone can benefit from more secure systems around the globe.

We will continue improving our software and processes for packaging and delivering Orbit updates by expanding security mechanisms to cover more and more threat scenarios. You can always peek at our security project, where public issues are visible to everyone.

Future improvements will appear there, and we are always thankful when researchers discover and disclose vulnerabilities.

If you have questions about the Orbit audit or Fleet security, please join us on Slack!

Fleet logo
Multi platform Device management Orchestration Software management Integrations Pricing
Documentation Support Docs API Release notes Get your license
Company About News Jobs Logos/artwork Why open source?
ISO 27001 coming soon a small checkmarkSOC2 Type 2 Creative Commons Licence CC BY-SA 4.0
© 2025 Fleet Inc. Privacy
Slack logo GitHub logo LinkedIn logo X (Twitter) logo Youtube logo Mastadon logo
Tried Fleet yet?

Get started with Fleet

Start
continue
×