| Version | Supported |
|---|---|
| 1.x | Yes |
Please do not open a public GitHub issue for security vulnerabilities.
Report vulnerabilities by emailing: security@agenticaiforgood.com
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgement within 48 hours
- Status update within 7 days
- Fix timeline communicated based on severity (critical issues prioritised)
In scope:
- The Next.js web application (agenticaiforgood.com)
- The hosted MCP server (
/api/mcp) - The npm package (
agentic-ai-for-good-mcp) - Supabase Row Level Security policies
Out of scope:
- Rate limiting / volumetric DDoS
- Issues requiring physical access to our infrastructure
- Social engineering attacks targeting team members
- Vulnerabilities in third-party dependencies (report those upstream)
We follow coordinated responsible disclosure. We ask that you:
- Give us reasonable time to investigate and fix before public disclosure
- Avoid accessing, modifying, or deleting data belonging to other users
- Do not perform actions that could degrade availability for others
We will publicly credit researchers who report valid vulnerabilities (unless you prefer to remain anonymous).