Vulnerability Disclosure Policy

Effective Date: April 18, 2026

Buji Development Corporation, doing business as Agent Midas, values the security research community and encourages responsible disclosure of security vulnerabilities affecting the Agent Midas platform. This policy outlines how external researchers can report vulnerabilities and what they can expect from us in return.

1. Scope

1.1 In Scope

The following assets are in scope for vulnerability reporting: the Agent Midas web application at agentmidas.ai and agentmidas.xyz, all API endpoints at agentmidas.ai/api/*, the Agent Midas mobile web application, authentication and authorization mechanisms, payment processing flows (excluding Stripe infrastructure itself), subscriber data isolation mechanisms (row-level security), and AI agent communication channels.

1.2 Out of Scope

The following are out of scope: third-party services and infrastructure not operated by the Company (Stripe, Supabase, Cloudflare, Anthropic, etc.), social engineering attacks against Company personnel, physical security of data centers (managed by hosting providers), denial-of-service testing (do not send excessive traffic), and any testing that degrades service for other subscribers.

2. How to Report

Please report security vulnerabilities to our security team via email:

Email: [email protected]

Subject Line: [VULNERABILITY] Brief description of the issue

Encrypt sensitive reports using our PGP key, available at agentmidas.ai/.well-known/security.txt.

2.1 What to Include

To help us investigate and resolve the vulnerability effectively, please include: a detailed description of the vulnerability and its potential impact, step-by-step instructions to reproduce the issue, the affected URL, endpoint, or component, any relevant screenshots, logs, or proof-of-concept code, your assessment of severity (Critical, High, Medium, Low), and your contact information for follow-up.

3. Our Commitments

Acknowledgment: We will acknowledge receipt of your report within 2 business days.

Assessment: We will provide an initial assessment of the report within 5 business days, including severity classification and estimated remediation timeline.

Remediation: We will work to remediate confirmed vulnerabilities within the following timeframes: Critical (P0) within 24 hours, High (P1) within 7 days, Medium (P2) within 30 days, Low (P3) within 90 days.

Transparency: We will keep you informed of our progress and notify you when the vulnerability has been remediated.

Credit: With your permission, we will publicly acknowledge your contribution in our security advisories and on our website.

4. Safe Harbor

The Company will not pursue legal action against security researchers who: make a good-faith effort to comply with this policy, avoid accessing or modifying subscriber data (use your own test account), do not exploit vulnerabilities beyond what is necessary to demonstrate the issue, do not disclose the vulnerability publicly before we have had a reasonable opportunity to remediate it (minimum 90 days), and promptly report the vulnerability rather than using it for personal gain.

This safe harbor applies to security research conducted in compliance with this policy. Activities that could cause harm to subscribers, disrupt services, or violate applicable law are not covered.

5. Exclusions

The following types of reports are generally not accepted: reports from automated vulnerability scanners without manual verification, missing security headers that do not lead to a demonstrable vulnerability, clickjacking on pages with no sensitive actions, CSRF on unauthenticated forms, username or email enumeration, missing rate limiting on non-authentication endpoints, and SPF/DKIM/DMARC misconfiguration reports (unless leading to demonstrable email spoofing against subscribers).

6. Legal

This Vulnerability Disclosure Policy is not a contract and does not create any legal obligation on the part of the Company. The Company reserves the right to modify this policy at any time. This policy does not authorize any activity that violates applicable law. If you are uncertain whether your planned research is compliant with this policy, please contact us before proceeding.

7. Contact

Security Reports: [email protected]

General Inquiries: [email protected]

Phone: (561) 571-2646

Buji Development Corporation, 1712 Pioneer Ave. Ste. 500, Cheyenne, WY 82001