Coordinated Disclosure

We welcome reports from security researchers acting in good faith. We do not currently operate a paid bounty, but we acknowledge contributions and recognize researchers publicly when requested.

Safe harbor

Vault Agentics will not pursue legal action against researchers who: (a) make a good-faith effort to follow this policy; (b) avoid privacy violations, destruction of data, and interruption or degradation of services; (c) only interact with accounts they own or have explicit permission to access; and (d) give us reasonable time to investigate and remediate before public disclosure.

Scope

• vaultagentics.com and subdomains operated by Vault Agentics.
• Engagement work product is out of scope unless explicitly authorized in writing by the customer of record.

Out of scope

• Findings from automated scanners without demonstrated impact.
• Social engineering of personnel or physical attacks against offices.
• Self-XSS, missing security headers without exploit, denial of service, rate-limit issues.

SLAs

• Acknowledgement within 3 business days.
• Triage decision within 10 business days.
• Status updates at least every 30 days until resolution.

How to report

Use the form below or email security@vaultagentics.com. Public disclosure should be coordinated with us in advance.