ACP-SEC Security Disclosure
Responsible disclosure policy · Updated June 2026
We take security seriously. If you discover a vulnerability in ACP-SEC, please report it responsibly. We commit to acknowledging your report within 48 hours.
Report a Vulnerability
✉️
Security Contact
🐛
GitHub Issues (non-sensitive)
Response Times
Initial acknowledgment
48 hours
Triage & assessment
7 days
Fix timeline (critical)
14 days
Public disclosure
After fix
Scope
In scope for responsible disclosure:
- acpsec.app web application and API
- ACP-SEC scanner and scoring logic
- SentryAgent smart contract (Base Sepolia)
- Authentication and session handling
- Server-side request forgery (SSRF) via scanner endpoints
Out of scope:
- Social engineering attacks
- Denial of service (DoS) attacks
- Issues in third-party services we depend on
- Self-XSS or issues that require physical access
Bug Bounty
No formal bug bounty program at this time. We are transparent about this. We cannot offer monetary rewards currently, but we will publicly acknowledge all valid reports and credit researchers by name (or pseudonym) on this page.
Responsible Disclosure Guidelines
- Do not publicly disclose the vulnerability before we have had a reasonable opportunity to fix it
- Do not access, modify, or delete data that does not belong to you
- Do not perform actions that could harm other users or degrade service availability
- Provide sufficient information to reproduce the issue
Acknowledged Researchers
We gratefully acknowledge the following security researchers who have contributed to making ACP-SEC more secure:
| Researcher | Finding | Date |
|---|---|---|
| No reports yet — be the first! | ||
Our Commitments
- We will acknowledge your report within 48 hours
- We will keep you informed of our progress
- We will credit you in this page (with your permission)
- We will not take legal action against researchers acting in good faith
- We will be transparent about our security posture and limitations
ACP-SEC is a testnet project. The SentryAgent contract is deployed on Base Sepolia (testnet) only. There are no mainnet funds at risk in the current deployment.