Security & Vulnerability Disclosure
Security is core to Agent-Fabric. If you believe you have found a vulnerability, we want to hear from you and we will work with you in good faith to resolve it.
- Report to
- security@falconoon.com
- Response
- We acknowledge reports within 3 business days.
- Scope
agent-fabric.falconoon.com,app.falconoon.com,api.falconoon.com, thefalconCLI, and the Agent-Fabric service.
How to report
Email security@falconoon.com with:
- a clear description of the issue and its impact;
- steps to reproduce (proof-of-concept, requests, or a short script);
- affected component and version where known;
- how we can reach you.
If you need to share sensitive details, ask us for a secure channel in your first message.
Our commitments
- We acknowledge your report within 3 business days and keep you updated as we investigate.
- We investigate every legitimate report and prioritize by severity.
- We will not pursue legal action against researchers who follow this policy in good faith (see Safe harbor below).
- With your permission, we are happy to credit you once the issue is resolved.
Responsible disclosure guidelines
To keep users safe, please:
- give us a reasonable time to remediate before any public disclosure;
- avoid privacy violations, data destruction, and service disruption;
- only interact with accounts, machines and data you own or have explicit permission to test;
- do not run automated scanning that degrades the service, and do not attempt denial of service.
Out of scope
Reports that are typically not actionable on their own include: missing best-practice headers without a demonstrated exploit, rate-limiting on non-sensitive endpoints, social engineering, physical attacks, and vulnerabilities in third-party services we do not control. When in doubt, report it — we would rather hear from you.
Safe harbor
If you make a good-faith effort to comply with this policy during your research, we will consider your research authorized, will work with you to understand and resolve the issue quickly, and will not recommend or pursue legal action against you. This policy does not authorize actions that violate applicable law.