AgenticCLI

Security & Responsible Disclosure

We take the security of ShipGuard and agenticcli.dev seriously. If you discover a vulnerability, we ask that you disclose it to us privately so we can address it before it becomes public knowledge.

How to report

Email your finding to [email protected]. There is no dedicated security inbox; [email protected] is monitored by the people who can act on your report.

Please include in your report:

We will acknowledge receipt of your report and work with you on a fix. We ask that you do not publicly disclose the vulnerability before a fix has been deployed. We will keep you informed of our progress.

We do not operate a bug bounty programme at this time, but we genuinely appreciate responsible disclosures and will credit researchers who help us — with their consent.

In scope

Out of scope

The following are third-party infrastructure we use but do not control. Please report vulnerabilities in these systems directly to the respective vendors:

Generic social engineering, denial-of-service, or physical attacks are also out of scope.

Machine-readable security policy

Our /.well-known/security.txt follows RFC 9116 and is the authoritative machine-readable version of this policy.