Security

Responsible Disclosure

We take security vulnerabilities seriously. If you discover a security issue in ShieldAgent, please report it through the process below. We commit to a transparent, timely response and recognize researchers who help keep our users safe.

Scope

The following systems and properties are in scope for vulnerability reports:

ShieldAgent proxy

Authentication bypass, policy enforcement bypass, traffic interception, injection into proxied traffic

Management API (api.shieldagent.io)

Broken access control, IDOR, privilege escalation, data exposure, SSRF

Dashboard (app.shieldagent.io)

XSS, CSRF, session management issues, sensitive data exposure in UI

Agent Passport verification

Signature forgery, replay attacks, revocation bypass

Audit log integrity

Tampering, deletion, or falsification of audit records

Out of scope

Denial of service attacks or rate limit testing at scale
Social engineering of ShieldAgent employees or customers
Physical security issues
Vulnerabilities in third-party dependencies already reported upstream
Issues in systems or services not listed above

Important: Only test against accounts you own or have explicit permission to test. Never access, modify, or delete data belonging to other users.

How to Report

Send vulnerability reports by email. Encrypt sensitive reports with our PGP key to prevent disclosure in transit.

security@shieldagent.io

Include the following in your report:

Vulnerability type and affected component
Step-by-step reproduction instructions
Proof-of-concept code or screenshots (where applicable)
Your assessment of severity and potential impact
Any suggested mitigations

PGP Key

Use our PGP public key to encrypt sensitive reports. Fingerprint: [PGP key will be published here — check back shortly]

PGP public key block — coming soon

Response Timeline

Initial acknowledgement

Within 2 business days

We confirm receipt of your report and assign a tracking ID.

Triage and severity assessment

Within 5 business days

We reproduce the issue, assess severity (CVSS), and assign an owner.

Status update

Every 7 days

We keep you informed of progress throughout remediation.

Resolution target

Critical: 7 days · High: 30 days · Medium/Low: 90 days

Patch or mitigation deployed. We notify you when the fix ships.

Public disclosure

Coordinated with reporter

We coordinate public disclosure timing with you, typically 90 days post-report or sooner if both parties agree.

Recognition Program

We recognise researchers who responsibly disclose valid vulnerabilities. Recognition is based on severity and impact of the reported issue.

Severity	CVSS range	Recognition
Critical	9.0 – 10.0	Hall of Fame listing + bounty (amount confirmed at triage)
High	7.0 – 8.9	Hall of Fame listing + bounty
Medium	4.0 – 6.9	Hall of Fame listing
Low	0.1 – 3.9	Acknowledgement on request

Hall of Fame

Researchers who discover and responsibly disclose qualifying vulnerabilities are listed in our public Security Hall of Fame with their consent. We do not pay bounties for out-of-scope issues, duplicate reports, or vulnerabilities that require physical access or social engineering.

Safe Harbour

ShieldAgent will not pursue legal action against researchers who discover and report vulnerabilities in good faith, provided they: do not access data beyond what is necessary to demonstrate the vulnerability; do not disrupt production systems or other users; do not publicly disclose the issue before we have had a reasonable opportunity to remediate it; and act in accordance with this policy throughout. We consider responsible security research to be a valuable contribution to the security of our product and the broader ecosystem.