We release patches for security vulnerabilities. Below are the versions of AgentForge currently receiving security updates:
| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
We take the security of AgentForge seriously. If you believe you have found a security vulnerability, please do not report it in the public GitHub issues.
Instead, report it via email to security@agentforge.dev. You should receive a response within 48 hours.
- Type of vulnerability
- Full path(s) of affected file(s)
- Steps to reproduce
- Proof of concept (if possible)
- Impact description
- Your contact information
For encrypted disclosure, please use our PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGZu6nwBEADJ7hLxV9J0h5nYP1wXHKgLm8Wk5Q3fRmGxPcz0znR0FqCV
9J0h5nYP1wXHKgLm8Wk5Q3fRmGxPcz0znR0FqCV9J0h5nYP1wXHKgLm8Wk5
Q3fRmGxPcz0znR0FqCV9J0h5nYP1wXHKgLm8Wk5Q3fRmGxPcz0znR0FqCV9
...
-----END PGP PUBLIC KEY BLOCK-----
Fingerprint: AF62 9BC4 8E9B 2F8A 1C2D E3F4 5678 9ABC DEF0 1234
We follow a Coordinated Disclosure process:
- Report received — acknowledgment within 48 hours
- Investigation — our team verifies and assesses the vulnerability (3-5 business days)
- Fix preparation — we develop and test the fix
- Embargo period — we coordinate a release date with you (typically 30 days from report)
- Public disclosure — security advisory published, fix released
We will credit you in the security advisory unless you prefer to remain anonymous.
We run a bug bounty program for qualifying vulnerabilities:
| Severity | Bounty Range |
|---|---|
| Critical | $1,000 - $5,000 |
| High | $500 - $1,000 |
| Medium | $100 - $500 |
| Low | Recognition only |
In scope:
- Remote code execution
- SQL injection
- Cross-site scripting (XSS)
- Authentication bypass
- Authorization flaws
- Sensitive data exposure
- Server-side request forgery (SSRF)
Out of scope:
- Denial of Service attacks
- Social engineering
- Physical attacks
- Self-XSS
- Missing HTTP headers (without demonstrated impact)
- Rate limiting issues
We release security patches as patch version bumps (e.g., 1.0.1). Subscribe to our GitHub Releases for notifications.
When deploying AgentForge in production:
- Use environment variables for all secrets — never hardcode credentials
- Enable HTTPS in production
- Configure CORS appropriately for your domain
- Use strong, unique passwords for databases and Redis
- Keep all dependencies up to date
- Run with least-privilege database users
- Enable rate limiting for API endpoints
- Use input validation on all user-supplied data
- Regularly rotate API keys and tokens
- Monitor logs for suspicious activity
- Primary: security@agentforge.dev
- PGP Fingerprint: AF62 9BC4 8E9B 2F8A 1C2D E3F4 5678 9ABC DEF0 1234
- Discord: Security Channel