If you discover a security vulnerability in Agent-Reach, please report it responsibly by using GitHub's private security advisory feature:

👉 Report a vulnerability

Please do NOT open a public GitHub issue for security vulnerabilities.

• Description of the vulnerability
• Steps to reproduce
• Affected versions
• Potential impact
• Suggested fix (if any)

• Acknowledgement within 48 hours
• Status update within 7 days
• Fix timeline communicated within 14 days

The following are considered in scope:

• Authentication and authorization bypass
• Remote code execution
• Path traversal / arbitrary file read
• Server-Side Request Forgery (SSRF)
• Injection vulnerabilities (SQL, command, prompt)
• Sensitive data exposure

• Vulnerabilities in dependencies (report to the dependency maintainer)
• Social engineering attacks
• Denial of service via resource exhaustion

We appreciate responsible disclosure and will credit researchers in our release notes unless anonymity is requested.