✨ New Wonderful Agent expands across Europe — meet the new regional team. See the announcement →
Aria — Sales Atlas — Finance Sage — Support Theo — People Ops Integrations Security Pricing Customers Blog Start free trial
Security disclosure

Found a vulnerability? Thank you.

We work with the security community in good faith. This page explains exactly how to report something to us, what we'll do, and the protections you have when you do.

Email security@wonderfulagent.ai Read the policy

Last updated: 12 May 2026 · Policy version 2.4

Our commitment

If you discover a vulnerability in any Wonderful Agent product, infrastructure, or service, we want to hear about it. We treat reports as a gift — a chance to make the platform safer for every customer. In return, we commit to acknowledge you, work with you transparently, fix the issue on a defined timeline, and never pursue legal action against researchers acting in good faith under this policy.

What's in scope

The following Wonderful Agent properties are in scope:

  • Production web applicationsapp.wonderfulagent.ai, admin.wonderfulagent.ai, wonderfulagent.ai
  • Public APIs — anything documented under docs.wonderfulagent.ai/api or returned with a X-WA-API header
  • Agent runtimes — sandboxed execution environments where Aria, Atlas, Sage, and Theo operate
  • Mobile apps — iOS and Android Wonderful Agent companion apps (current and one previous version)
  • Infrastructure — first-party hosting accounts and services that materially affect customer data confidentiality, integrity, or availability

What's out of scope

  • Findings from automated tools alone with no proof-of-concept or impact analysis
  • Theoretical attacks without a working exploit on a live system
  • Social engineering, phishing, or physical attacks on our staff or offices
  • DoS / DDoS attacks, volumetric attacks, or stress tests on production infrastructure
  • Missing best-practice headers (HSTS preload, CSP) on marketing pages with no sensitive data
  • Email spoofing on subdomains we do not send from
  • Third-party services where Wonderful Agent is a customer (please report directly to that vendor and CC us)
  • Outdated browsers or libraries with no demonstrable impact on a current Wonderful Agent endpoint
  • Issues that only affect non-supported versions of mobile apps or self-host builds older than 90 days

Safe harbor

If you make a good-faith effort to follow this policy, we will not:

  • Bring or support any legal action against you under the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, similar laws in other jurisdictions, or our Terms of Service
  • Notify law enforcement or pursue private prosecution for your research activity
  • Treat your activity as a Terms of Service violation if you stayed within scope, did not access more data than necessary to demonstrate the issue, and did not degrade availability for other customers

If a third party initiates legal action against you for activity that complied with this policy, we will make it clear publicly and to that third party that your activity was authorised. This safe harbor does not extend to activity that violates other laws or that goes beyond what's needed to demonstrate a finding.

Ground rules for testing

  • Use a free trial account or a test tenant we provision for you — do not test against another customer's tenant
  • Only access data that belongs to your own account, or data we provide for testing
  • Stop as soon as you've demonstrated impact — do not exfiltrate, retain, or share data beyond what proves the finding
  • Do not pivot from a found issue to attack other systems or customers
  • Do not run automated scanners against production at rates that would degrade service. If you need a rate-limit exemption to test thoroughly, email us and we'll set you up on a staging tenant
  • Report through the channels below — do not post on social media, blogs, or public trackers before coordinated disclosure

How to report

Send your report to security@wonderfulagent.ai. For sensitive reports, encrypt with our PGP key (fingerprint 4AB1 E0FE 9E2C 7F44 6D7B 9C19 22EE 11F1 36A1 0E2D; full key at https://wonderfulagent.ai/.well-known/pgp-key.txt).

A great report includes:

  • A clear title and one-line summary
  • The affected URL, endpoint, or component and the version or build hash if known
  • Step-by-step reproduction (numbered, with the exact request bodies, headers, and expected vs. observed behaviour)
  • A short proof-of-concept video, screenshot, or curl command — whichever makes it fastest to reproduce
  • Your assessment of impact (what an attacker could do, and to whom)
  • Any suggested remediation, if you have one
  • How you'd like to be credited (handle, real name, or anonymous)

What happens after you report

  • Within 1 business day — automated acknowledgement and a triage ticket number
  • Within 3 business days — a human on the security team replies with a severity assessment (CVSS v3.1) and either a fix plan or follow-up questions
  • Within the SLA below — the issue is mitigated and you're notified
  • After remediation — we agree a coordinated disclosure date with you (default 90 days, extendable by mutual agreement), publish an advisory if appropriate, and credit you in our hall of fame unless you've asked to remain anonymous

Remediation SLAs

  • Critical (CVSS 9.0–10.0) — mitigated within 24 hours, fix shipped within 7 days
  • High (7.0–8.9) — mitigated within 5 business days, fix shipped within 30 days
  • Medium (4.0–6.9) — fix shipped within 60 days
  • Low (0.1–3.9) — fix shipped within 90 days or rolled into a regular release

"Mitigated" means the attack path is closed in production, even if the underlying root cause takes longer to refactor properly.

Rewards

We pay bug bounties for valid, in-scope findings. Awards depend on severity, quality of the report, and impact:

  • Critical — USD 5,000 – 25,000
  • High — USD 1,500 – 5,000
  • Medium — USD 250 – 1,500
  • Low — USD 50 – 250 or branded swag

Bonus considerations: clear write-ups, working patches, novel exploit chains, and impact across multiple customer tenants can stack rewards. Duplicate reports go to whoever reported first with enough information to reproduce.

Hall of fame

Researchers who help us harden Wonderful Agent are listed at wonderfulagent.ai/security/credits. As of this revision, that list includes 47 individuals from 19 countries — and we'd be thrilled to add you.

Reporting AI-specific issues

Because we ship agents, we accept a broader category of findings than a traditional web app program: prompt injection that lets one customer's data leak to another, jailbreaks that bypass safety guardrails in production agents, model output that violates our published guarantees (e.g. an agent claiming to take an action it didn't, or refusing in scope). Please mark these reports [AGENT-SAFETY] in the subject line — they route to both security and the agent-safety team for joint triage.

Contact

Security reports: security@wonderfulagent.ai
Privacy / data requests: privacy@wonderfulagent.ai
Press / coordinated advisories: press@wonderfulagent.ai

Thank you for helping keep our customers safe.

Security team

Want to talk security before you sign?

We're happy to share our SOC 2 Type II report, ISO 27001 certificate, penetration test summary, and architecture diagrams under a quick NDA. Just ask.

Talk to security Back to security overview