Security Policy

Agilis Inc. takes the security of the Agilis Inspections platform seriously. We welcome reports from security researchers, customers, and the broader community. If you believe you have found a security vulnerability, please report it to us privately so we can investigate and remediate before any details are made public.

Reporting a vulnerability

• Email matt.anderson@agilisinc.com (CTO and Security Lead).
• Backup contact: rick.anderson@agilisinc.com (President and CEO).
• Machine-readable contact: /.well-known/security.txt (RFC 9116).

Please do not open a public GitHub issue for a suspected vulnerability. A useful report typically includes a description of the affected surface, reproduction steps, suspected impact, and any proof-of-concept payload or screenshots.

Our response commitments

• Acknowledge receipt within 3 business days.
• Initial triage and severity assessment within 5 business days.
• Remediation targets: Critical ≤ 7 days, High ≤ 30 days, Medium ≤ 90 days, Low ≤ 180 days from confirmation. Status updates every 14 days until closed.
• Where a confirmed Critical or High-severity vulnerability had the potential to affect customer data or service availability, Agilis Inc. notifies affected customers per our Incident Response Plan.

Safe harbor

Agilis Inc. will not pursue legal action against researchers who act in good faith, follow this policy, avoid privacy violations and disruption of service, do not access or retain customer data beyond what is strictly necessary to demonstrate the vulnerability, and provide a reasonable remediation window (at least 90 days, or as mutually agreed) before any public disclosure.

Scope

In scope: the Agilis Inspections web application, Agilis Inc.-operated Supabase Edge Functions, and Agilis Inc.-operated marketing or informational pages.

Out of scope: third-party services operated by Agilis Inc.'s vendors (Supabase, Microsoft Azure, GitHub, Resend, OpenAI) — report those directly to the vendor and notify Agilis Inc. if a tenant or data set is affected. Denial-of-service testing, sustained automated scanning, and findings that require a compromised endpoint or man-in-the-middle position without a flaw in our code or configuration are also out of scope.

Full policy

The complete vulnerability-disclosure policy, including the bug bounty stance and acknowledgments process, is published in SECURITY.md in the Agilis Inspections repository. Internal SLAs are documented in the Vulnerability Management Policy.