Security & Responsible Disclosure
We take the security of ShipGuard and agenticcli.dev seriously. If you discover a vulnerability, we ask that you disclose it to us privately so we can address it before it becomes public knowledge.
How to report
Email your finding to [email protected]. There is no dedicated security inbox; [email protected] is monitored by the people who can act on your report.
Please include in your report:
- A description of the vulnerability and where it exists.
- Steps to reproduce the issue.
- The potential impact you identified.
- Any proof-of-concept code or screenshots that demonstrate the issue (do not include live credentials).
We will acknowledge receipt of your report and work with you on a fix. We ask that you do not publicly disclose the vulnerability before a fix has been deployed. We will keep you informed of our progress.
In scope
- ShipGuard CLI (npm package
@agenticcli/shipguard) - Cloud scan API (api.agenticcli.dev and related endpoints)
- agenticcli.dev web application
- Convex backend functions and data access
Out of scope
The following are third-party infrastructure we use but do not control. Please report vulnerabilities in these systems directly to the respective vendors:
- WorkOS AuthKit — report to WorkOS
- Dodo Payments — report to Dodo Payments
- Convex platform infrastructure — report to Convex
- Cloudflare — report to Cloudflare
Generic social engineering, denial-of-service, or physical attacks are also out of scope.
Machine-readable security policy
Our /.well-known/security.txt follows RFC 9116 and is the authoritative machine-readable version of this policy.