Security

    Responsible Disclosure Policy

    We welcome reports from security researchers. This page explains what we protect, how to report an issue, and what you can expect from us in return.

    Scope

    In scope

    • agensi.io and www.agensi.io
    • mcp.agensi.io (MCP server)
    • The skill security scanner and submission pipeline
    • Authentication, API keys, and OAuth flows
    • Payment and creator payout flows
    • Row Level Security policies and database access

    Out of scope

    • Third-party services we rely on (Supabase, Stripe, Netlify, Lovable). Report those to the vendor directly.
    • Social engineering attacks on Agensi staff or creators
    • Physical attacks
    • Denial of service testing
    • Automated scanner output without a working proof of concept
    • Bugs inside individual skills listed on the marketplace. Report those to the creator, or to us at info@agensi.io if you believe a skill is malicious.

    How to report

    Email security@agensi.io with:

    • A description of the issue and its impact
    • Steps to reproduce, or a proof of concept
    • Any suggested remediation

    Encrypted email is welcome but not required. If you want to encrypt, ask for our PGP key in a first message.

    What to expect

    • We will acknowledge your report within 5 business days.
    • We will triage and respond with a severity assessment within 14 business days.
    • We will keep you updated through remediation.
    • We will credit you publicly if you want, once the issue is fixed.

    Agensi is a small team. We cannot guarantee faster timelines than above, but we take every report seriously.

    Safe harbor

    If you research in good faith and follow this policy, we will not pursue legal action and will work with you on coordinated disclosure. Good faith means:

    • Do not access, modify, or delete data that does not belong to you
    • Do not degrade service for other users
    • Do not run destructive or high-volume tests
    • Do not publish details before we have shipped a fix, or before 90 days have passed since your report, whichever comes first

    Rewards

    We do not currently run a paid bounty program. We offer public credit, a genuine thank you, and the satisfaction of helping a small marketplace stay safe. That may change as we grow.

    Legal

    This policy does not cover research conducted on behalf of third parties, or research that violates applicable law. It does not override our Terms of Service.

    Want to learn how we scan every skill?

    Back to security overview