Skip to main content

Security Policy

Reporting a Vulnerability

We take the security of Agentic Trust seriously. If you believe you have found a security vulnerability, please report it to us as described below.

How to Report

Please do NOT report security vulnerabilities through public GitHub issues. Instead, please report them via email to: security@agentictrust.com You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Please include the following information:
  • Type of issue (e.g., SQL injection, XSS, authentication bypass)
  • Full paths of source file(s) related to the issue
  • Location of the affected source code (tag/branch/commit or direct URL)
  • Step-by-step instructions to reproduce the issue
  • Proof-of-concept or exploit code (if possible)
  • Impact of the issue, including how an attacker might exploit it

What to Expect

  • Acknowledgment: We will acknowledge your email within 48 hours
  • Updates: We will send you regular updates about our progress
  • Fix Timeline: We aim to patch critical vulnerabilities within 7 days, high severity within 30 days
  • Credit: With your permission, we will publicly credit you for the discovery

Responsible Disclosure

We ask that you:
  • Give us reasonable time to investigate and fix the issue before public disclosure
  • Make a good faith effort to avoid privacy violations, data destruction, and service disruption
  • Do not access or modify data that doesn’t belong to you
  • Do not perform attacks that could harm the reliability or integrity of our services

Scope

The following are IN SCOPE for vulnerability reports:
  • Authentication and authorization bypass
  • SQL injection, XSS, CSRF, and other injection attacks
  • Server-side request forgery (SSRF)
  • Remote code execution
  • Sensitive data exposure
  • Business logic vulnerabilities
  • API security issues
The following are OUT OF SCOPE:
  • Social engineering attacks
  • Physical attacks against our offices or data centers
  • Attacks requiring physical access to a user’s device
  • Denial of service attacks
  • Issues in third-party services we use (report to them directly)
  • Issues already known and disclosed in our public issue tracker
  • Clickjacking on pages with no sensitive actions
  • SPF/DKIM/DMARC records

Security Measures

We implement the following security controls:

Authentication & Authorization

  • OAuth 2.0 via WorkOS for user authentication
  • API key authentication with SHA-256 hashing
  • HMAC-based identity verification for end users
  • Organization-based access control
  • Timing-safe comparison for all secret verification

Data Protection

  • TLS 1.2+ for all data in transit
  • Database encryption at rest (Neon PostgreSQL)
  • API keys hashed with SHA-256 (never stored in plaintext)
  • HMAC secrets generated with cryptographically secure random bytes
  • PII redaction capabilities for logging

Infrastructure Security

  • Strict Transport Security (HSTS) with preload
  • Content Security Policy headers
  • X-Frame-Options to prevent clickjacking
  • X-Content-Type-Options to prevent MIME sniffing
  • Security headers on all responses

Application Security

  • Input validation using Zod schemas
  • SQL injection prevention via Prisma ORM
  • Rate limiting (30 req/min for chat, 60 req/min for general APIs)
  • CORS restrictions with origin allowlist
  • Parameterized database queries
  • Content Security Policy
  • Regular dependency updates and vulnerability scanning

Monitoring & Logging

  • Error tracking with Sentry
  • Audit logs for sensitive operations
  • Rate limit monitoring
  • Failed authentication attempt tracking

Operational Security

  • Automated security patch deployment
  • Regular security audits and penetration testing
  • Incident response procedures
  • Business continuity and disaster recovery plans
  • Vendor security assessments

Supported Versions

VersionSupported
Latest:white_check_mark:
< Latest:x:
We only support the latest version of Agentic Trust. Please ensure you are running the most recent version before reporting issues.

Security Changelog

We maintain a security changelog for transparency:

2026-02-16

  • Moved Sentry DSN to environment variables
  • Implemented CORS origin allowlist
  • Enhanced error message sanitization
  • Added comprehensive security documentation
  • Documented dependency vulnerability status

Questions?

If you have questions about this security policy, please contact us at security@agentictrust.com Last Updated: February 16, 2026