Vulnerability Disclosure Policy

Security Contact

Report vulnerabilities by email to security@agentvista.dev. If the issue is sensitive, encrypt your report using our PGP key (available on request).

Scope

The following assets are in scope for responsible disclosure:

• The AgentVista platform — app.agentvista.dev and api.agentvista.dev
• AgentVista SDKs (Python, TypeScript)
• Public-facing APIs and OTLP ingestion endpoints
• The landing site — agentvista.dev

Out of Scope

• Social engineering attacks (phishing, pretexting)
• Denial-of-service (DoS / DDoS) attacks
• Third-party services we use (Railway, Stripe, GitHub, etc.)
• Issues already reported by another researcher
• Findings from automated scanners without a demonstrated impact

Safe Harbor

We will not pursue legal action against security researchers who follow responsible disclosure practices, specifically:

• You give us reasonable time to investigate and resolve the issue before public disclosure (minimum 90 days).
• You do not access, modify, or delete data belonging to other users.
• You do not degrade the availability or performance of our services.
• You act in good faith and make a genuine effort to avoid privacy violations and data destruction.

Response Commitment

• Acknowledgment: within 48 hours of receiving your report.
• Triage and timeline: within 5 business days we will provide an initial assessment and an expected resolution timeline.
• Resolution: we aim to resolve confirmed vulnerabilities within 30 days, depending on severity and complexity.
• Credit: with your permission, we will publicly acknowledge your contribution.

What to Include

A good vulnerability report includes:

• A description of the vulnerability and its potential impact.
• Step-by-step reproduction instructions.
• Affected URLs, endpoints, or SDK versions.
• Any supporting evidence (screenshots, proof-of-concept code, HTTP request/response logs).