| Version | Supported |
|---|---|
| 1.0.x | ✅ |
Older versions are not supported for security updates.
This policy covers:
- The
agenticracy-skill.mdspecification - The Agenticracy™ Reporting API schema
- Agent identity and registration endpoints (
agenticracy.ai/api/v1/) - Any reference implementations in
/examples/
If you discover a security or integrity issue, please report privately before public disclosure.
Email: security@agenticracy.ai
Subject line: SECURITY REPORT — [brief description]
Response SLA: 5 business days for initial acknowledgement
Coordinated disclosure window: 90 days from report to public disclosure
Alternatively, open a private GitHub Security Advisory on this repository.
Please include:
- Clear description of the issue
- Steps to reproduce
- Affected component (skill file / API schema / examples)
- Estimated severity
| Finding | Severity |
|---|---|
| Bypass of Part 6 Refusal Protocols | Critical |
| Agent identity spoofing / impersonation via skill manipulation | Critical |
| Schema injection into the Reporting API | High |
| Prompt injection that suppresses escalation triggers (Part 3) | High |
| Trademark or domain impersonation exploits | High |
| Ambiguity in licence terms that creates unintended commercial loopholes | Medium |
| Gaps in examples that could mislead implementers into unsafe patterns | Low |
- Vulnerabilities in third-party LLM providers (report to Anthropic, OpenAI, Google, etc.)
- Jailbreaks of the underlying model (not a vulnerability in this Standard)
- Disagreements with the Standard's positions (use Issues / Contributing process)
Responsible disclosures will be credited in CHANGELOG.md and on
agenticracy.ai/security-acknowledgements
unless anonymity is requested.
Agenticracy™ Think Tank · agenticracy.ai · security@agenticracy.ai