Enforgate
Start free

Security Disclosure Policy

Last updated June 18, 2026

Enforgate sits in the path of sensitive agent actions, so we take security reports seriously and welcome good-faith research. This page explains how to report a vulnerability and what to expect. Machine-readable contact details are also published at /.well-known/security.txt (RFC 9116).

How to report

Email support@enforgate.comwith a description of the issue, the steps to reproduce it, and its potential impact. Include enough detail (a request/response trace, a proof-of-concept script, or a screen recording) that we can reproduce it without back-and-forth. We don't currently operate a PGP key for encrypted reports — if your finding requires it, say so in your first message and we'll arrange a secure channel.

What's in scope

  • The gateway (/v1/check, /mcp) and its policy engine.
  • The dashboard application and its APIs, including authentication and authorization boundaries.
  • Anything that would let one organization read or affect another's data, bypass a policy verdict, forge an approval, or recover a raw API key or stored secret.
  • The open-source packages under packages/ (policy engine, SDKs, CLI).

What's out of scope

  • Findings that require a misconfigured policy or a deliberately permissive setup you created yourself — Enforgate enforces what you configure; a policy that allows something isn't a vulnerability in the engine.
  • Denial-of-service testing against shared infrastructure, and automated scanning at volume.
  • Social engineering, physical security, or third-party services we integrate with but don't operate (Slack, Microsoft Teams, Telegram, your own SMTP server).
  • Reports generated solely by automated scanners without a verified, reproducible impact.
  • Spam, missing security headers, or best-practice suggestions with no demonstrated exploit.

What we commit to

  • We'll acknowledge a report within 3 business days.
  • We'll give you our assessment (confirmed, needs more information, or not applicable) within 10 business days of acknowledgement.
  • We'll keep you informed as a confirmed issue is fixed, and credit you (if you'd like) once it's resolved.
  • We won't pursue legal action against good-faith research conducted under this policy.

Safe harbor

We consider security research conducted consistent with this policy to be authorized. We will not initiate legal action against you for good-faith testing that stays within the scope above, avoids privacy violations and service disruption, and is reported to us promptly and privately — give us a reasonable time to investigate and remediate before any public disclosure.

No bug bounty (yet)

We don't currently run a paid bug bounty program. We're happy to publicly thank researchers who report valid issues, with your permission.