SECURITY DISCLOSURE

Report a vulnerability to AgentMessage.

We welcome coordinated disclosure of security vulnerabilities affecting AgentMessage. This page describes the scope, reporting channel, and safe-harbor terms for good-faith security research.

These terms are provided by Y3 Labs LLC, doing business as AgentMessage. AgentMessage is the product and service name of Y3 Labs LLC.

If you enter into a separate signed Order Form, master services agreement, data processing addendum, or other written agreement with Y3 Labs LLC, that agreement controls to the extent of any conflict.

For legal notices: legal@agentmessage.ioFor privacy requests: privacy@agentmessage.ioFor abuse reports: abuse@agentmessage.io

Effective date2026-05-01
Last updated2026-05-01
Versionv1.0
Provided byY3 Labs LLC

1. In scope

The following AgentMessage-operated properties are in scope for coordinated disclosure:

  • agentmessage.io and any subdomain operated by AgentMessage (marketing site, dashboard).
  • agentmsg.io and any subdomain operated by AgentMessage (API surfaces, email, CDN, webhooks).
  • The customer-facing AgentMessage REST API and webhook-delivery infrastructure.

2. Out of scope

The following are out of scope under this policy. Reports targeting them will not be eligible for safe-harbor treatment under this page:

  • Domains or services owned by our subprocessors (for example, Stripe, Clerk, Bandwidth, The Campaign Registry, Anthropic, OpenAI, Vercel, DigitalOcean). Report those through the relevant vendor's disclosure channel.
  • Customer-operated infrastructure, including customer webhook receivers, customer-owned domains, and customer integrations built on top of the AgentMessage API.
  • Findings that require physical access, social engineering of AgentMessage personnel, or compromise of a customer account through credential reuse.
  • Volumetric denial-of-service testing, traffic floods, or any test that materially degrades the Service for other customers.

3. How to report

Send vulnerability reports to security@agentmessage.io. Please include:

  • A clear description of the issue and its impact.
  • Steps to reproduce, including any payloads, request samples, or screenshots needed to confirm the finding.
  • The affected URL, endpoint, parameter, or component.
  • Your contact information so we can follow up and, if appropriate, credit you in the resolution notes.

We will acknowledge receipt within a reasonable time and work with you on a coordinated timeline. Please do not publicly disclose the issue until we confirm a resolution or jointly agree on a disclosure schedule.

4. Safe harbor

We will not pursue legal action against good-faith security research that:

  • Is conducted within the scope set out above.
  • Avoids privacy violations, destruction of data, disruption of the Service, and access to data belonging to other customers.
  • Stops at the minimum proof of concept required to demonstrate the vulnerability, and does not exfiltrate data beyond what is needed to prove the issue.
  • Reports the issue promptly through the channel described above and does not disclose the issue publicly before resolution or a jointly agreed disclosure schedule.
  • Complies with applicable law.

If a third party brings legal action against you for activities that complied in good faith with this policy, we will take steps to make clear that your activities were authorized.

Customer-side responsibilities and prohibited conduct are in the Acceptable Use Policy and the Terms of Service. Privacy and data-handling practices are described in the Privacy Policy.

6. Contact

Vulnerability reports: security@agentmessage.io. Abuse reports: abuse@agentmessage.io. Legal notices: legal@agentmessage.io.

Y3 Labs LLC
845 Houston Northcutt Blvd #1079
Mt Pleasant, SC 29464
United States
Attn: Legal
legal@agentmessage.io
Found something?

Email security@agentmessage.io and we will get back to you.

Contact AgentMessage →