Skip to content
AgentCorp
// Legal

Responsible Disclosure

Last updated: July 2026 — how to report a security issue and what to expect from us.

1. Our Commitment

We value the work of security researchers and believe coordinated disclosure makes AgentCorp safer for everyone. This Vulnerability Disclosure Policy explains how to report a security issue to us, what you can expect in return, and the boundaries of good-faith testing. We welcome reports from anyone acting in good faith to protect our users.

2. Scope

This policy covers the AgentCorp platform and our primary web properties on our production domains, including the application and its APIs. Vulnerabilities in the underlying services we rely on — such as our hosting, database, authentication, or model providers — should be reported to us so we can coordinate with the relevant vendor, but please do not test those third-party systems directly.

3. Out of Scope

The following are generally out of scope: findings from automated scanners without a demonstrated, exploitable impact; volumetric denial-of-service and rate-limit exhaustion; social engineering of our staff, customers, or vendors; physical attacks; reports of missing security headers or best practices without a concrete exploit; and issues in third-party services outside our control. If you are unsure whether something is in scope, ask us first.

4. Safe Harbor

If you make a good-faith effort to comply with this policy during your research, we will consider your testing to be authorized, we will not pursue or support legal action against you for that research, and we will work with you to understand and resolve the issue quickly. Good faith means you avoid privacy violations, data destruction, and service disruption, and you give us a reasonable opportunity to remediate before any public disclosure. This safe harbor does not extend to actions that violate applicable law.

5. How to Report

Send your report to our security team with enough detail for us to reproduce and assess the issue: the affected component or URL, a description of the vulnerability, step-by-step reproduction instructions, and any proof-of-concept material. Please do not include real customer data. If you need to share sensitive details securely, mention that in your initial email and we will arrange a secure channel.

6. What to Include

A strong report includes the type of issue and its potential impact, the exact steps to reproduce it, the environment and account context used, and any suggested remediation if you have one. Clear reports let us triage faster and reduce the chance of misunderstanding. Screenshots or short recordings are helpful, provided they do not expose third-party data.

7. Our Response

We will acknowledge your report within three business days. After triage, we will keep you informed of our assessment and remediation progress at reasonable intervals, and we will let you know when the issue is resolved. Timelines vary with complexity and severity, and we appreciate your patience while we develop and ship a fix.

8. Coordinated Disclosure

We ask that you give us a reasonable period to remediate before disclosing an issue publicly, and that you coordinate the timing of any disclosure with us. We are committed to fixing valid issues promptly and to being transparent with affected customers where appropriate. We are happy to credit you once a fix is released, if you would like recognition.

9. No Bug Bounty (Yet)

We do not currently operate a paid bug-bounty program, and reports are handled on a good-faith, coordinated-disclosure basis rather than for monetary reward. We may introduce a formal bounty program in the future. In the meantime, we are glad to acknowledge researchers who help us improve, subject to their preference.

10. security.txt

For machine-readable contact details and the canonical location of this policy, see our security.txt file at /.well-known/security.txt. It points to the same security contact and disclosure policy described here.

11. Rules of Engagement

When testing, only interact with accounts you own or have explicit permission to test, never access, modify, or exfiltrate data that is not yours, stop as soon as you identify a vulnerability and can demonstrate it, and do not use findings for any purpose other than reporting them to us. Following these rules keeps your research within the safe harbor above.

12. Thank You

Coordinated disclosure is a partnership. We are grateful to the researchers who take the time to report issues responsibly and help protect the businesses and people who rely on AgentCorp.

Report a vulnerability to security@agentcorp.work. Machine-readable details are at /.well-known/security.txt.