SECURITY

Responsible disclosure

Help us stay secure. Report vulnerabilities responsibly and give us time to respond before disclosure.

We take security seriously. Despite our efforts, risks always exist. If you discover a vulnerability in our systems or in software we have implemented at a client, we would like to hear about it — before malicious actors can exploit it.

The policy below describes how to submit a report, what you can expect from us, and what is in or out of scope.

HOW TO REPORT

How to report a vulnerability

What to include
Describe the vulnerability, the potential impact, and — where possible — steps to reproduce. Proof-of-concept code or screenshots help a lot. Please mention whether you would like credit and under which name.
Response time
We aim to acknowledge receipt within 2-3 business days. During extended absence you can escalate to hello@aiagent.nl — always a reply within 7 days. After that we follow up with an assessment and indicative timeline for the fix.

OUR COMMITMENTS

What you can expect from us

Fast response

Acknowledgement of receipt within 2-3 business days, with a substantive reply within 7 days. During extended absence you can escalate to hello@aiagent.nl.

Transparent communication

We keep you informed of progress and agree on disclosure timelines together.

Credit where deserved

With your consent, we credit you in our acknowledgements or in a changelog note alongside the fix.

No legal action

For researchers acting in good faith and staying within scope, we will not pursue legal action.

SCOPE

What is in and out of scope

In scope

  • aiagent.nl and all subdomains
  • Forms on the website (contact, AI scan, AI literacy test)
  • Software we have specifically implemented for you
  • Configuration issues in our public environment

Out of scope

  • Denial-of-service (DoS/DDoS) attacks or stress tests
  • Social engineering of staff or clients
  • Physical access to equipment or offices

SAFE HARBOR

Safe research

Researchers acting in good faith, staying within scope, not exfiltrating or modifying data, and not disrupting services need not fear legal action from us. If anything is unclear, please contact us first before conducting further research.

Email hello@aiagent.nlView our compliance overview

Machine-readable variant for security researchers · /.well-known/security.txt

Responsible Disclosure & Security | AI Agent B.V. | AI Agent