Security

Responsible disclosure

Found a vulnerability in our systems or services? Tell us, and we'll fix it together. Last updated on 11 May 2026.

Report a vulnerability ruben@agentslab.eu, guido@agentslab.eu

1. Introduction

Keeping our systems and our customers' data safe is one of the most important things we do at AgentsLab. Despite our efforts, a vulnerability may still slip into one of our systems or services. If you find one, we ask you to report it to us so we can fix it and keep our customers and platform secure.

This policy is not an invitation to actively and extensively scan our corporate systems for vulnerabilities. Our systems are monitored continuously and a scan is likely to be detected and investigated by our security team.

2. We ask you to

Email your findings to Ruben and Guido as soon as possible at ruben@agentslab.eu, guido@agentslab.eu.
Not exploit the issue, for example by downloading more data than needed to demonstrate the vulnerability, or by viewing, modifying or deleting third-party data.
Not share the issue with others until it has been resolved, and permanently delete any confidential data obtained through the vulnerability as soon as it is fixed.
Not use physical attacks, social engineering, (distributed) denial-of-service, spam or third-party applications.
Provide enough information to reproduce the issue so we can resolve it as quickly as possible. Usually the IP address or URL of the affected system and a description of the vulnerability is enough, but more complex issues may require more.

3. What we promise

We respond to your report within three business days with our assessment and an expected resolution date.
If you have followed the conditions above, we will not pursue legal action against you in connection with your report.
We treat your report confidentially and will not share your personal details with third parties without your permission, unless required by law.
We will keep you informed of the progress towards a fix.
In public communication about the reported issue we will, if you wish, name you as the discoverer.
As a token of our gratitude, we offer a reward for every report of a security issue not yet known to us that we consider serious. We determine the form of the reward case by case. Our security team assesses whether an issue qualifies.

4. In scope

This policy applies to systems and services that we operate:

agentslab.eu and all subdomains under *.agentslab.eu.
The AgentsLab platform and its APIs as delivered to our customers.
Official AgentsLab mobile and desktop clients.

5. Out of scope

The following reports are out of scope for this policy and not eligible for a reward:

Vulnerabilities in third-party services or in vendor software that we use.
Findings from automated scans without proven impact.
Missing best-practice headers, missing rate limits on non-critical endpoints and similar configuration observations without proven impact.
Self-XSS, clickjacking on pages without authentication-relevant actions, and CSRF on forms without a sensitive action.
Volumetric attacks, denial-of-service, brute force, spam and phishing tests.
Physical attacks, social engineering against employees or customers, and attacks on office or network infrastructure.

6. How to report a vulnerability

Send your report to ruben@agentslab.eu, guido@agentslab.eu. Please include at least:

A description of the vulnerability and its potential impact.
Steps to reproduce (URL, request, payload, screenshots or a short video).
Optionally a suggested fix or mitigation.
How you would like to be contacted and whether you want to be publicly credited on disclosure.

We prefer reports in English or Dutch. Encrypted communication via PGP is available on request: ask for the current public key at ruben@agentslab.eu, guido@agentslab.eu.

7. Legal

We follow this policy in line with the Coordinated Vulnerability Disclosure (CVD) guideline of the Dutch National Cyber Security Centre (NCSC). We will not pursue legal action for a report submitted in good faith and in line with the conditions in this policy. This policy does not grant permission to perform research on systems of third parties, customers or sub-processors of AgentsLab. We cannot waive any statutory obligations towards authorities that may apply to findings.

8. Contact

Questions about this policy can be sent to ruben@agentslab.eu, guido@agentslab.eu. For other security and compliance questions, see our security page.

This policy may change from time to time. The current version is always on this page, with the date of last revision at the top.