Security Vulnerability Disclosure Policy

Last updated: 2026-03-28

AgentBuilders takes the security of our platform seriously. We value the work of security researchers who help keep our users safe. This policy describes how to report vulnerabilities and what to expect from us.

How to Report a Vulnerability

If you believe you have found a security vulnerability in AgentBuilders, please report it to us privately. Do not disclose the issue publicly until we have had the opportunity to investigate and address it.

Send your report to:

security@agentbuilders.app

Please encrypt sensitive reports using our PGP key (available upon request).

What to Include in Your Report

To help us triage and respond efficiently, please include:

  • A clear description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • The affected URL, endpoint, or component
  • Your impact assessment (e.g., data exposure, privilege escalation, denial of service)
  • Any proof-of-concept code, screenshots, or logs
  • Your contact information for follow-up

Response Timeline

We commit to the following response times:

  1. Acknowledgement — within 48 hours of receiving your report
  2. Triage and assessment — within 5 business days
  3. Status update — we will keep you informed of our progress toward resolution
  4. Fix and disclosure — we aim to resolve confirmed vulnerabilities promptly and will coordinate disclosure timing with you

Safe Harbor

AgentBuilders will not pursue legal action against security researchers who report vulnerabilities in good faith and in accordance with this policy.

We consider security research conducted under this policy to be authorized and will not initiate legal action for accidental policy violations made in good faith.

To qualify for safe harbor protection, you must:

  • Act in good faith and avoid privacy violations, data destruction, and service disruption
  • Only interact with accounts you own or with explicit permission from the account holder
  • Stop testing and report immediately once you have confirmed a vulnerability
  • Not exploit the vulnerability beyond the minimum necessary to demonstrate the issue
  • Give us reasonable time to address the issue before any public disclosure

Scope

This policy applies to the following assets:

  • *.agentbuilders.app — all subdomains of the AgentBuilders platform
  • The AgentBuilders API (api.agentbuilders.app)
  • The AgentBuilders CLI and SDK

Out of Scope

The following activities are outside the scope of this program and should not be attempted:

  • Social engineering attacks (phishing, vishing, pretexting) against AgentBuilders employees or users
  • Physical attacks against AgentBuilders offices or infrastructure
  • Denial of service (DoS/DDoS) attacks
  • Automated vulnerability scanning that generates significant traffic
  • Attacks against third-party services or infrastructure not owned by AgentBuilders
  • Spam or social engineering via the platform contact forms

Recognition

We appreciate the contributions of security researchers who help keep AgentBuilders safe. With your permission, we will acknowledge valid reports in our security hall of fame. If you prefer to remain anonymous, we will respect that preference.

Thank you for helping us protect the AgentBuilders community.