Vulnerability Disclosure Policy
- Effective
- May 31, 2026
- Last revised
- May 31, 2026
- Version
- 2026.05.31
- Issued by
- RAgencyOS, ragencyos.com
Found a security issue? Email support@ragencyos.comwith as much detail as you can. Weâll acknowledge within one business day, investigate promptly, fix confirmed issues, and credit you publicly if youâd like. Donât access other customersâ data, donât use disclosure as leverage, donât share details publicly until weâve patched.
1.Scope
This policy covers vulnerabilities in:
- The RAgencyOS web application at
ragencyos.comand its subdomains. - The public APIs and endpoints we expose.
- Our authentication flow (magic-link sign-in).
- Our handling of uploaded files, including W-9 PDFs and photo ID images.
Out of scope:
- Findings already known to us and disclosed at ragencyos.com/security.
- Findings in third-party services we depend on (Supabase, Vercel, Cloudflare, Resend, Google, Telegram). Report those to the vendor directly.
- Social-engineering attacks against our staff or customers.
- Physical security of any office or co-working space we use.
- Denial-of-service or volumetric testing.
- Findings that require physical access to a victimâs device.
2.How to report
Email support@ragencyos.comwith subject âSecurity reportâ. Please include:
- A description of the vulnerability and its potential impact.
- Steps to reproduce, including URLs, payloads, and any account or session context required.
- Your assessment of severity (CVSS or your own scale is fine).
- Your contact information and whether youâd like public credit.
PGP keys are not currently published. Send the report in plain text; if the information is particularly sensitive, email us first and weâll arrange a secure channel.
3.What we'll do
- Acknowledge receipt within one (1) business day.
- Triage and respond with our initial assessment within five (5) business days.
- Keep you updated as we investigate and remediate.
- Credit you publicly (with your permission) once the issue is fixed.
- Notify affected customers per our breach-notification commitment (Privacy Policy §13) if Customer Data was exposed.
4.Safe harbor, what you should and shouldn't do
While researching, please:
- Test only against accounts and data that you own or have explicit permission to test.
- Do not access, modify, or delete other customersâ data.
- Do not exfiltrate more data than is necessary to demonstrate the vulnerability.
- Do not use automated scanners that generate disproportionate traffic.
- Stop and report immediately if you encounter Customer Personal Data you should not have access to.
- Give us reasonable time to investigate and patch before publicly disclosing, we propose a 90-day disclosure window by default, longer for complex fixes.
Research conducted in good faith and in accordance with this policy will not be the subject of legal action by us. If a third party initiates legal action against you in relation to research conducted in accordance with this policy, we will make our authorization known.
This policy does not authorize you to violate any law, breach any agreement, or take any action that would jeopardize the privacy or security of our customers or their end users.
5.No bounty (today)
We do not currently operate a paid bug-bounty program. We recognize researchers publicly (with consent) in a hall of fame and may offer modest swag or service credits for high-impact reports. As we grow, we may introduce a bounty program; if we do, this policy will be updated.
6.Contact
Security reports and questions about this policy:
This document is provided in good faith and reflects RAgencyOSâs current practices as of the effective date shown above. It does not constitute legal advice. For questions, please contact support@ragencyos.com.
â RAgencyOS