If you believe you have found a security vulnerability in any Agenta repository, please report it to us through coordinated disclosure.

Do not report security vulnerabilities via public GitHub issues, pull requests, or discussions.

Instead, please send an email to security@agenta.ai.

Please include as much of the following as you can to help us reproduce and resolve the issue:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting).
• Full paths of source files related to the issue.
• The location of the affected source code (tag, branch, commit SHA, or direct URL).
• Any special configuration or environment required to reproduce.
• Step-by-step instructions to reproduce.
• Proof-of-concept or exploit code (if possible).
• Expected vs actual behaviour and potential impact.
• Your contact details and disclosure timeline preference.

• Acknowledgement: We will acknowledge receipt within 3 business days.
• Triage: We aim to complete an initial triage within 7 calendar days and will share severity and next steps.
• Remediation & Disclosure: For critical vulnerabilities we aim to release a fix or mitigation within 30 days. For other issues, typically within 90 days. We will coordinate any public disclosure with you.
• We will provide status updates as needed during remediation.

We respect and protect good-faith security research. If you follow this policy:

• We will not initiate legal action against you for good-faith testing conducted as part of coordinated disclosure.
• Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the issue.
• Do not disrupt production services or attempt destructive actions.

The following are out of scope:

• Third-party services not operated by Agenta.
• Physical security attacks or social engineering of personnel.
• Low-risk informational issues without security impact (e.g., generic version banners).
• Denial-of-service attacks (we will not accept DoS testing against production).

If you report a valid vulnerability and want public recognition, tell us how you wish to be credited (full name, handle, company, or anonymous). Recognition is discretionary and will be coordinated with you.

If email is unavailable and you need an immediate or urgent channel, contact our general line: team@agenta.ai (monitored during business hours). For truly critical emergencies, include “EMERGENCY / SECURITY” in the subject line of your email.

• Report metadata will be retained for incident tracking and compliance.
• Personal data you provide will be handled according to our privacy policy.
• We will only share reporter data internally on a need-to-know basis.