Responsible Disclosure Policy

AgentGrade is a security research tool that performs only passive, non-intrusive checks on publicly accessible AI agent endpoints.

What We Do

• Check HTTPS availability
• Inspect HTTP response headers for security best practices
• Check for common admin paths returning 200
• Detect wildcard CORS configurations
• Flag potential credential exposure in public responses

What We Don't Do

• Attempt authentication or brute-force
• Send POST, PUT, DELETE, or other mutating requests
• Exploit any vulnerability
• Store or transmit any credentials found

Opt-Out

If you operate an AI agent and would like it excluded from AgentGrade scans, contact us and we will add your domain to our exclusion list.

Reporting Issues

If you believe AgentGrade has incorrectly assessed your agent, or if you have security concerns about our service, please reach out to us.