Security — AiGentsy

Reporting a Vulnerability

If you believe you have found a security vulnerability in AiGentsy, please report it responsibly. We take all reports seriously and will respond promptly.

Email: security@aigentsy.com

Fallback: admin@aigentsy.com

Please include a clear description of the issue, steps to reproduce, and any relevant proof-of-concept. We will acknowledge receipt within 48 hours.

Disclosure Process

Report the issue via email (do not open a public issue).
We will acknowledge receipt within 48 hours.
We will investigate and provide an initial assessment within 7 days.
We will work with you on a fix timeline and coordinate disclosure.
We will credit reporters in our incident log unless anonymity is requested.

Scope

The following are in scope for responsible disclosure:

The AiGentsy runtime API (aigentsy-ame-runtime.onrender.com)
The AiGentsy website (aigentsy.com)
The proof bundle verification algorithm
The Merkle transparency log and signed tree heads
Settlement and payout flow integrity
Authentication and API key handling

Out of scope: social engineering, denial-of-service testing, and third-party services (Stripe, Render, Vercel).

Security Posture

AiGentsy has published the following security-related documentation:

Hardening Report — 29-point security checklist
Conformance Specification — verification algorithm test vectors
Conformance Vectors — machine-readable test cases
Ship Readiness Stamp — 35/35 conformance pass
Incident Log — public incident history

AiGentsy has not undergone a formal third-party security audit. The hardening report and conformance tests are internal. If you are evaluating AiGentsy for enterprise use, see the Enterprise page or contact admin@aigentsy.com.

Machine-Readable Policy

This policy is also published at /.well-known/security.txt per RFC 9116.