Agentys

Vulnerability Disclosure Policy

Version: 1.0 Date: February 2026 Owner: Agentys Inc.
Classification: Public

1. Introduction

Agentys Inc. ("Agentys," "we," or "our") takes the security of our AI email management platform and the protection of our users' data seriously. We recognize that independent security researchers play a valuable role in strengthening the security posture of technology platforms.

This Vulnerability Disclosure Policy ("Policy") describes how security researchers can report potential vulnerabilities in Agentys products and services, what we expect from reporters, and what reporters can expect from us.

We are committed to:


2. Scope

2.1 In Scope

The following assets and systems are within the scope of this Policy:

2.2 Out of Scope

The following are explicitly excluded from this Policy:


3. How to Report a Vulnerability

3.1 Reporting Channel

Please submit all vulnerability reports via encrypted email to:

Security Team: security@agentys.io

PGP Key Fingerprint: A1B2 C3D4 E5F6 7890 1234 5678 9ABC DEF0 1234 5678

Our full PGP public key is available at agentys.io/.well-known/security.txt

We strongly encourage reporters to encrypt all communications containing vulnerability details using our PGP key.

3.2 Required Information

To help us triage and validate your report efficiently, please include:

  1. Description — A clear summary of the vulnerability, the affected component, and the attack vector.
  2. Steps to reproduce — Detailed, step-by-step instructions that allow our team to replicate the issue.
  3. Impact assessment — Your evaluation of the potential severity and impact on users or data.
  4. Supporting evidence — Screenshots, proof-of-concept code, HTTP request/response logs, or video recordings as applicable.
  5. Environment details — Browser, operating system, or any other relevant configuration.

3.3 Response Timeline

Milestone Target Timeframe
Acknowledgment of report Within 48 hours
Initial assessment and triage Within 5 business days
Status update to reporter At least every 10 business days
Remediation (see Section 5) Based on severity

4. Researcher Guidelines

We ask that all researchers adhere to the following guidelines when investigating and reporting vulnerabilities:


5. Our Commitments

5.1 Safe Harbor

Agentys will not pursue legal action against security researchers who discover and report vulnerabilities in accordance with this Policy. We consider activities conducted consistent with this Policy to be authorized conduct. If legal action is initiated by a third party against a researcher for activities conducted in compliance with this Policy, we will take reasonable steps to make it known that such activities were authorized.

5.2 Communication

We commit to transparent and timely communication throughout the disclosure process. Reporters will receive regular status updates and will be notified when the vulnerability has been remediated.

5.3 Credit and Acknowledgment

With the reporter's consent, Agentys will publicly credit the researcher in our security acknowledgments page. Reporters may choose to remain anonymous.

5.4 Remediation Timelines

Upon confirming a vulnerability, Agentys targets the following remediation timelines based on severity:

Severity Target Remediation Description
Critical 7 days Active exploitation risk; direct impact on user data or system integrity
High 30 days Significant security impact with a plausible attack scenario
Medium 60 days Moderate impact requiring specific conditions to exploit
Low 90 days Minor impact or informational findings with limited risk

6. Rewards and Recognition

Agentys does not currently operate a formal bug bounty program. However, we deeply value the contributions of the security research community.


7. Exclusions

The following categories of findings are generally not eligible for consideration under this Policy:


8. Contact Information

Channel Details
Security team email security@agentys.io
PGP public key agentys.io/.well-known/security.txt
General inquiries info@agentys.io

This Policy may be updated from time to time. The latest version is always available at agentys.io/docs/vulnerability-disclosure-policy.html.