Skip to main content
If you discover a security concern related to AgentFlow’s public documentation, this repository, or its published materials, report it directly and privately to the AgentFlow team. Responsible disclosure protects everyone — it lets the team address real issues quickly without creating additional exposure through public channels. This page explains exactly how to report, what to include, and what falls inside and outside the scope of this process.

How to Report

Send all security concerns to contact@agentflow-enterprise.com. This is the only supported reporting channel. Do not open a GitHub issue for security-related findings.
When you reach out, the team will acknowledge your report and triage it promptly. You do not need to follow a complex process — a clear, direct email with the details below is sufficient.

What to Include in Your Report

To help the team understand and address your concern quickly, include the following in your message:
  1. A clear summary of the security concern — describe what you found and why it matters
  2. The affected page or file — link to or name the specific public file, page, or URL involved
  3. Reproduction steps — if the issue can be demonstrated, explain how to reproduce it
  4. Recommended remediation — if you have a suggested fix or mitigation, include it
You do not need to include private source code, internal configuration details, or proprietary information in your report.

Scope

Not every security question falls within the scope of this public disclosure process. Use the table below to determine whether your concern is in scope before reaching out.
In ScopeOut of Scope
Accidental exposure of sensitive information in public filesRequests for private source code or internal implementation details
Misleading or inaccurate security statements in documentationAttempts to bypass access controls or authentication
Unsafe public documentation that could mislead security reviewersAttacks against third-party services (Supabase, Stripe, OpenAI, Vercel, etc.)
Broken links that could misdirect security-focused buyersSocial engineering attempts targeting AgentFlow team members
Documentation that exposes internal details unintentionallySpeculative reports without practical, demonstrable impact
If your concern falls outside this scope, it is still fine to reach out through the general contact address — but be aware it may not be prioritized through the security triage process.

Do Not Post Publicly

Do not post sensitive vulnerability details, reproduction steps, or findings related to credentials, access controls, or internal implementation in public GitHub issues, social media, or community forums. Public disclosure before the team has had a chance to respond and remediate creates unnecessary risk. If you are unsure whether something is sensitive, err on the side of private disclosure.
This applies even if the issue seems minor. The team will work with you to determine the right response and, where appropriate, acknowledge your contribution.

Response Expectations

After you send a report to contact@agentflow-enterprise.com, you can expect:
  • Acknowledgement — the team will confirm receipt and that your report is being reviewed
  • Triage — the team will assess the severity and scope of the concern
  • Follow-up — if more information is needed, the team will reach out directly
Response times are not guaranteed by SLA, but the team is committed to taking responsible disclosure seriously and responding promptly.

Bug Bounty

There is no public bug bounty program currently. The team appreciates responsible disclosure and will acknowledge valid contributions, but no financial reward is offered at this time.
Related: Security Overview · Data Handling