RAgencyOS · Legal

Vulnerability Disclosure Policy

Effective
May 31, 2026
Last revised
May 31, 2026
Version
2026.05.31
Issued by
RAgencyOS, ragencyos.com
The short version

Found a security issue? Email support@ragencyos.comwith as much detail as you can. We’ll acknowledge within one business day, investigate promptly, fix confirmed issues, and credit you publicly if you’d like. Don’t access other customers’ data, don’t use disclosure as leverage, don’t share details publicly until we’ve patched.

1.Scope

This policy covers vulnerabilities in:

  • The RAgencyOS web application at ragencyos.com and its subdomains.
  • The public APIs and endpoints we expose.
  • Our authentication flow (magic-link sign-in).
  • Our handling of uploaded files, including W-9 PDFs and photo ID images.

Out of scope:

  • Findings already known to us and disclosed at ragencyos.com/security.
  • Findings in third-party services we depend on (Supabase, Vercel, Cloudflare, Resend, Google, Telegram). Report those to the vendor directly.
  • Social-engineering attacks against our staff or customers.
  • Physical security of any office or co-working space we use.
  • Denial-of-service or volumetric testing.
  • Findings that require physical access to a victim’s device.

2.How to report

Email support@ragencyos.comwith subject “Security report”. Please include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce, including URLs, payloads, and any account or session context required.
  • Your assessment of severity (CVSS or your own scale is fine).
  • Your contact information and whether you’d like public credit.

PGP keys are not currently published. Send the report in plain text; if the information is particularly sensitive, email us first and we’ll arrange a secure channel.

3.What we'll do

  • Acknowledge receipt within one (1) business day.
  • Triage and respond with our initial assessment within five (5) business days.
  • Keep you updated as we investigate and remediate.
  • Credit you publicly (with your permission) once the issue is fixed.
  • Notify affected customers per our breach-notification commitment (Privacy Policy §13) if Customer Data was exposed.

4.Safe harbor, what you should and shouldn't do

While researching, please:

  • Test only against accounts and data that you own or have explicit permission to test.
  • Do not access, modify, or delete other customers’ data.
  • Do not exfiltrate more data than is necessary to demonstrate the vulnerability.
  • Do not use automated scanners that generate disproportionate traffic.
  • Stop and report immediately if you encounter Customer Personal Data you should not have access to.
  • Give us reasonable time to investigate and patch before publicly disclosing, we propose a 90-day disclosure window by default, longer for complex fixes.

Research conducted in good faith and in accordance with this policy will not be the subject of legal action by us. If a third party initiates legal action against you in relation to research conducted in accordance with this policy, we will make our authorization known.

This policy does not authorize you to violate any law, breach any agreement, or take any action that would jeopardize the privacy or security of our customers or their end users.

5.No bounty (today)

We do not currently operate a paid bug-bounty program. We recognize researchers publicly (with consent) in a hall of fame and may offer modest swag or service credits for high-impact reports. As we grow, we may introduce a bounty program; if we do, this policy will be updated.

6.Contact

Security reports and questions about this policy:

Security inbox
support@ragencyos.com

This document is provided in good faith and reflects RAgencyOS’s current practices as of the effective date shown above. It does not constitute legal advice. For questions, please contact support@ragencyos.com.

— RAgencyOS