Responsible Disclosure

How to report security vulnerabilities to Future AGI.

Reporting a Vulnerability

If you have discovered a security vulnerability in Future AGI, we encourage you to report it responsibly. Please send your findings to security@futureagi.com.

When submitting a report, include as much of the following as possible:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact or severity
  • Any supporting evidence (screenshots, logs, proof-of-concept code)
  • Your preferred method of contact for follow-up

Please do not disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and remediate the issue.

Focus Areas

We are particularly interested in reports related to:

  • Authorization and access control — Bypassing RBAC, accessing resources belonging to other organizations or projects
  • Privilege escalation — Elevating permissions beyond the assigned role
  • Injection attacks — SQL injection, NoSQL injection, command injection, or template injection
  • Data exposure — Unintended access to customer data, trace contents, evaluation results, or API keys
  • Authentication bypass — Circumventing login, SSO, or MFA mechanisms
  • Cross-site scripting (XSS) and cross-site request forgery (CSRF)

Out of Scope

The following are generally considered out of scope:

  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
  • Rate limiting or brute force enumeration without demonstrated impact
  • Automated vulnerability scanner output without a validated proof of impact
  • Social engineering or phishing attacks against Future AGI employees
  • Issues in third-party services or dependencies that do not directly affect Future AGI
  • Missing security headers that do not lead to a demonstrable exploit
  • Clickjacking on pages with no sensitive actions

Our Commitment

When you report a vulnerability to us, we commit to:

  • Acknowledge your report within 48 hours
  • Keep you informed of our investigation progress
  • Investigate and remediate confirmed vulnerabilities in a timely manner based on severity
  • Credit researchers who report valid vulnerabilities (with your consent) in our Hall of Fame

We will not take legal action against researchers who report vulnerabilities in good faith and comply with this responsible disclosure policy.

Bug Bounty

Future AGI does not currently operate a formal monetary bug bounty program. However, we offer public recognition to researchers who report valid, impactful vulnerabilities. With your consent, your name and a brief description of your contribution will be listed in our Hall of Fame.

Hall of Fame

We thank the following researchers for their contributions to the security of Future AGI:

No submissions yet. Be the first to help secure our platform.

Questions?

Reach out to our security team.

security@futureagi.com

Request documents

SOC 2 report, DPA, pen test summary.

Request documents →