Responsible Disclosure

Overview

We appreciate the security community’s help in keeping AgentTrust safe. If you believe you’ve found a security issue, please report it responsibly.

Report a vulnerability

Email: security@agenttrust.io

Please include:

• A description of the issue
• Steps to reproduce
• Impact assessment (if known)
• Relevant logs or screenshots (if available)

Guidelines

• Please use the least intrusive method and stop testing once you confirm impact.
• Please avoid accessing, modifying, or deleting user data.
• Please avoid actions that could impact availability.
• Please give us a reasonable time to investigate and remediate before public disclosure.

Safe Harbor

We authorize good-faith security research that follows this policy.

We will not pursue legal action for activities that are compliant with these guidelines and conducted in good faith.

In scope

• AgentTrust-owned domains and web applications (including the public website).
• Public APIs and services operated by AgentTrust.
• Vulnerabilities that demonstrate a clear security impact.

Out of scope

• Denial-of-service testing or degradation of availability.
• Social engineering, phishing, or physical attacks.
• Issues in third-party services outside our control.
• Findings that require unrealistic user interaction or non-standard configurations.

Timelines

• We will confirm receipt of your report within 2 business days.
• We aim to provide an initial response within 5 business days.
• We will share progress updates as we investigate and remediate.

PGP

PGP key available upon request.

What we’ll do

• Acknowledge receipt
• Investigate and remediate
• Coordinate disclosure timing