Version: 1.0Date: February 2026Owner: Agentys Inc.
Classification: Public
Agentys Inc.Vulnerability Disclosure Policy — v1.0 · Public
1. Introduction
Agentys Inc. ("Agentys," "we," or "our") takes the security of our AI email management platform and the protection of our users' data seriously. We recognize that independent security researchers play a valuable role in strengthening the security posture of technology platforms.
This Vulnerability Disclosure Policy ("Policy") describes how security researchers can report potential vulnerabilities in Agentys products and services, what we expect from reporters, and what reporters can expect from us.
We are committed to:
Working collaboratively with the security research community.
Promptly validating and remediating confirmed vulnerabilities.
Providing safe harbor for researchers who act in good faith and in accordance with this Policy.
2. Scope
2.1 In Scope
The following assets and systems are within the scope of this Policy:
agentys.io — primary web application and user-facing interfaces
API endpoints — all REST and GraphQL APIs served under agentys.io
Authentication and authorization systems — login flows, session management, OAuth integrations
AI processing pipeline — email ingestion, classification, and agent response generation
2.2 Out of Scope
The following are explicitly excluded from this Policy:
Third-party services, libraries, or platforms not operated by Agentys
Social engineering attacks (e.g., phishing targeting Agentys employees)
Physical security attacks against Agentys offices or infrastructure
Denial-of-service (DoS/DDoS) attacks
Spam or phishing campaigns
Vulnerabilities in software or hardware not maintained by Agentys
3. How to Report a Vulnerability
3.1 Reporting Channel
Please submit all vulnerability reports via encrypted email to:
We strongly encourage reporters to encrypt all communications containing vulnerability details using our PGP key.
3.2 Required Information
To help us triage and validate your report efficiently, please include:
Description — A clear summary of the vulnerability, the affected component, and the attack vector.
Steps to reproduce — Detailed, step-by-step instructions that allow our team to replicate the issue.
Impact assessment — Your evaluation of the potential severity and impact on users or data.
Supporting evidence — Screenshots, proof-of-concept code, HTTP request/response logs, or video recordings as applicable.
Environment details — Browser, operating system, or any other relevant configuration.
3.3 Response Timeline
Milestone
Target Timeframe
Acknowledgment of report
Within 48 hours
Initial assessment and triage
Within 5 business days
Status update to reporter
At least every 10 business days
Remediation (see Section 5)
Based on severity
4. Researcher Guidelines
We ask that all researchers adhere to the following guidelines when investigating and reporting vulnerabilities:
Do not access or modify other users' data. If a vulnerability provides access to another user's information, stop testing immediately, do not interact with the data, and report the issue.
Do not perform destructive testing. Avoid actions that could degrade service availability, corrupt data, or negatively affect other users.
Minimize exploitation. Do not exploit the vulnerability beyond the minimum necessary to establish a valid proof of concept.
Coordinated disclosure. Do not publicly disclose vulnerability details until Agentys has had a reasonable opportunity to remediate the issue. We follow a 90-day coordinated disclosure timeline from the date of the initial report.
Act in good faith. Conduct your research in a manner consistent with improving the security of the platform and protecting its users.
Comply with applicable law. Do not engage in any activity that would violate applicable local, provincial, national, or international law.
5. Our Commitments
5.1 Safe Harbor
Agentys will not pursue legal action against security researchers who discover and report vulnerabilities in accordance with this Policy. We consider activities conducted consistent with this Policy to be authorized conduct. If legal action is initiated by a third party against a researcher for activities conducted in compliance with this Policy, we will take reasonable steps to make it known that such activities were authorized.
5.2 Communication
We commit to transparent and timely communication throughout the disclosure process. Reporters will receive regular status updates and will be notified when the vulnerability has been remediated.
5.3 Credit and Acknowledgment
With the reporter's consent, Agentys will publicly credit the researcher in our security acknowledgments page. Reporters may choose to remain anonymous.
5.4 Remediation Timelines
Upon confirming a vulnerability, Agentys targets the following remediation timelines based on severity:
Severity
Target Remediation
Description
Critical
7 days
Active exploitation risk; direct impact on user data or system integrity
High
30 days
Significant security impact with a plausible attack scenario
Medium
60 days
Moderate impact requiring specific conditions to exploit
Low
90 days
Minor impact or informational findings with limited risk
6. Rewards and Recognition
Agentys does not currently operate a formal bug bounty program. However, we deeply value the contributions of the security research community.
All valid vulnerability reports will be acknowledged and the reporter credited (if desired).
Significant findings that demonstrate exceptional skill or reveal critical issues may be eligible for discretionary recognition at Agentys' sole discretion.
We reserve the right to introduce a formal reward program in the future.
7. Exclusions
The following categories of findings are generally not eligible for consideration under this Policy:
Vulnerabilities in third-party software, libraries, or services that Agentys does not directly control or maintain.
Issues that require physical access to a user's device or Agentys infrastructure.
Social engineering attacks targeting Agentys employees, contractors, or users.
Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks.
Output from automated vulnerability scanners that has not been manually validated with a clear proof of concept.
Missing security headers or best-practice recommendations without demonstrated exploitability.
Clickjacking on pages with no sensitive actions.
CSRF on forms that do not perform state-changing operations.