Platform
Athena PlatformThe whole platformAegisAutonomous detection and responseVigil24/7 agentic SOCCitadelSecurity technology management
Explore
OutcomesWhat the business fundsAI DefendersThe four DefendersAdversariesThe ten enterprise risksResourcesBlog and moreTrust CenterSecurity and governance
Company
AboutWhy Athena existsLeadershipThe teamCareersOpen rolesPartnersProgram and portalNews RoomAnnouncementsContactReach the team
Request a briefing
Trust · Security

Vulnerability Disclosure Policy

Last updated: 14 June 2026  ·  Effective: 14 June 2026

This document is a comprehensive legal framework draft. It must be reviewed and approved by licensed attorneys before publication and enforcement. It does not constitute legal advice.

1. Introduction and Our Security Commitment

1.1 Who We Are

Athena Agentic, Inc. ("Athena Agentic", "we", "us", or "our") builds the Athena Agentic Platform, an agentic AI core for security operations, comprising Aegis (autonomous detection and response engine), Vigil (24/7 agentic security operations center service), and Citadel (security technology management). Security is not an adjacent concern for us; it is our entire reason for existing. We hold ourselves to the standard we ask of our customers, and we believe that standard includes welcoming scrutiny from the security research community.

1.2 Purpose of This Policy

This Vulnerability Disclosure Policy (the "Policy" or "VDP") explains:

  • how security researchers and members of the public may report security vulnerabilities they discover in Athena Agentic's in-scope systems;
  • what conduct Athena Agentic authorizes when you act in good faith under this Policy (our "Safe Harbor");
  • the rules of engagement you must follow;
  • what you can expect from us in return, including acknowledgement, triage, and coordinated disclosure.

This Policy is designed as the single, authorized channel through which Athena Agentic invites good-faith security research against its own systems. It is benchmarked against recognized industry frameworks, including the guidance of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the ISO/IEC 29147 (vulnerability disclosure) and ISO/IEC 30111 (vulnerability handling) standards, and the public coordinated-disclosure programs operated by leading security and technology providers, while reflecting Athena Agentic's own requirements and risk posture.

1.3 Our Commitment to Good-Faith Researchers

We value the work of the security research community and recognize that independent, good-faith research makes the entire ecosystem safer. If you discover a vulnerability in an in-scope asset and report it to us in accordance with this Policy, we commit to:

  • work with you openly, promptly, and in good faith;
  • not pursue or support legal action against you for that research, as described in Section 3 (Safe Harbor);
  • treat your report as confidential, and not share your identity with third parties without your consent, except as required by law;
  • recognize your contribution where you wish to be recognized.

1.4 Relationship to Other Agreements

This Policy applies specifically to good-faith security research conducted against the in-scope assets described in Section 2. It does not modify, supersede, or waive any term of:

  • the Athena Agentic Terms of Service ("Terms");
  • the Athena Agentic Acceptable Use Policy ("AUP");
  • the Athena Agentic Privacy Policy; or
  • any Customer Agreement executed in writing between Athena Agentic and a customer.

Capitalized terms used but not defined in this Policy have the meanings given to them in the Terms or the AUP, as applicable. The Athena Agentic website (athenaagentic.com), the Athena Agentic Platform, and all associated services including Aegis, Vigil, and Citadel are referred to collectively as the "Services." A person or entity accessing or using the Services, including a person conducting research under this Policy, is a "User" and, where conducting such research, a "Researcher" or "you."

2. Scope

2.1 In-Scope Assets

The following assets are within the scope of this Policy and may be the subject of good-faith security research conducted in accordance with the rules in Section 4:

CategoryIn-scope target
Primary web property`athenaagentic.com` and its public-facing subdomains owned and operated by Athena Agentic
Platform public surfacesPublicly accessible, internet-facing components of the Athena Agentic Platform that Athena Agentic owns and operates, including public marketing, authentication, and account-management surfaces
Public APIsInternet-facing application programming interfaces that Athena Agentic publicly documents or exposes as part of the Services
Disclosure metadataThe `/.well-known/security.txt` file and related published security contact information

The authoritative, current list of in-scope domains, subdomains, IP ranges, and API endpoints is maintained at [athenaagentic.com/.well-known/security.txt: Athena Agentic to confirm and keep current]. Where this Policy and the published `security.txt` differ as to a specific asset's scope, the `security.txt` controls.

Only assets that Athena Agentic owns or operates are in scope. If you are unsure whether a specific asset, domain, subdomain, or endpoint is in scope, stop and ask first by emailing security@athenaagentic.com before conducting any testing.

2.2 Out-of-Scope Assets and Activities

The following are expressly out of scope. Testing against, or activity directed at, any of the following is not authorized by this Policy, is not covered by the Safe Harbor in Section 3, and may violate the AUP, the Terms, or applicable law:

(a) Third-party services, platforms, and infrastructure: including cloud providers, content-delivery networks, email providers, payment processors, identity providers, open-source dependencies, and any other product or service that Athena Agentic does not own or operate, even where Athena Agentic uses or integrates with it. Report vulnerabilities in third-party products to the relevant vendor under that vendor's own disclosure program.

(b) Customer environments, tenants, and data: any customer's tenant, instance, workspace, account, configuration, deployment, or data within the Services. Athena Agentic cannot and does not authorize you to test against, access, or interact with any environment or data belonging to a customer.

(c) Findings that require access to, or the data of, another customer, user, or person: any vulnerability whose demonstration, reproduction, or proof-of-concept would require you to access, view, modify, exfiltrate, or destroy data that is not your own, or to access another party's tenant or account.

(d) Physical attacks: any attempt to gain physical access to Athena Agentic offices, data centers, facilities, hardware, personnel, or equipment, and any testing of physical security controls.

(e) Social engineering: phishing, vishing, smishing, pretexting, baiting, or any other social-engineering technique directed at Athena Agentic employees, contractors, customers, partners, suppliers, or their families, including attempts to obtain credentials or access through deception.

(f) Denial-of-service and availability impairment: any denial-of-service (DoS) or distributed denial-of-service (DDoS) attack, volumetric testing, resource-exhaustion testing, or any automated activity that degrades, disrupts, or impairs the availability or performance of the Services for others. See Section 4.2.

(g) Non-production, internal, and corporate systems: internal corporate IT, employee productivity systems, source-code repositories, build pipelines, staging environments not explicitly listed as in scope, and any system not enumerated as in-scope in Section 2.1 or the published `security.txt`.

(h) Supply-chain and personnel targeting: targeting Athena Agentic's vendors, subprocessors, contractors, or personnel as a path to the Services.

The fact that an asset is technically reachable from the internet does not place it in scope. When in doubt, treat it as out of scope and ask.

2.3 Agentic-AI-Specific Note

Athena Agentic's Services include autonomous, agentic AI components. Good-faith research into the security of in-scope AI surfaces, for example, authentication, authorization, tenant isolation, or input-handling weaknesses in publicly exposed Platform components, is welcome under this Policy. However, the AUP's prohibitions on prompt extraction, model extraction, agent replication, reverse engineering, and using outputs to train competing systems (AUP Sections 2.2, 2.3, and 3) remain fully in force. Probing a model's content behavior, attempting to extract system prompts or model weights, or eliciting policy-violating model outputs is not a security vulnerability for purposes of this Policy and is not authorized.

3. Safe Harbor

3.1 Authorization

Athena Agentic considers security research and vulnerability disclosure activities conducted in good faith and in accordance with this Policy to be authorized conduct. If you make a good-faith effort to comply with this Policy during your research, Athena Agentic will:

(a) regard your research and disclosure as authorized access for purposes of the U.S. Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, and any analogous state computer-crime laws;

(b) regard your activity as lawful, authorized conduct that does not violate the anti-circumvention provisions of the Digital Millennium Copyright Act (DMCA), 17 U.S.C. § 1201, to the extent it relates to good-faith testing of in-scope assets under this Policy;

(c) not initiate, pursue, recommend, or support any civil or criminal legal action against you arising from that research, and not refer you to law enforcement for that research;

(d) take steps, where another party (including law enforcement) brings action against you for activity that Athena Agentic determines was conducted in good faith under this Policy, to make known, publicly or to that party, as appropriate, that your activity was authorized under this Policy; and

(e) treat the safe-harbor protections in this Section as applying to a good-faith violation of this Policy that you commit by accident, provided you promptly disclose the violation and cooperate with us in good faith.

3.2 Conditions and Limits of the Safe Harbor

This authorization is conditional and applies only to the extent your conduct satisfies all of the following:

(a) you act in good faith and do not use, or attempt to use, any vulnerability for any purpose other than testing, verifying, and reporting it to Athena Agentic;

(b) you stay within scope as defined in Section 2 and do not engage in any out-of-scope activity;

(c) you comply with the Rules of Engagement in Section 4, including the prohibitions on data access, denial-of-service, social engineering, and premature public disclosure;

(d) you comply with all applicable law; and

(e) you give Athena Agentic a reasonable opportunity to investigate and remediate before any disclosure, as described in Sections 6 and 7.

3.3 What the Safe Harbor Does Not Cover

This Safe Harbor is a statement of Athena Agentic's intent not to pursue good-faith researchers; it is not a general license to break the law or harm others. Specifically, this authorization does not extend to, and Athena Agentic does not authorize:

(a) any activity that violates the rights of, or causes harm to, Athena Agentic's customers, users, employees, partners, or any other third party;

(b) any access to, modification of, exfiltration of, or destruction of data that is not your own;

(c) any out-of-scope activity, including any activity directed at third-party services or customer environments (Section 2.2);

(d) any violation of applicable law, including privacy, data-protection, wiretap, computer-crime, or export-control laws; or

(e) any conduct that exceeds what is reasonably necessary to identify, confirm, and report a vulnerability in good faith.

Athena Agentic, in its reasonable discretion, will determine whether research was conducted in good faith and in accordance with this Policy. If you have any uncertainty about whether a specific action is authorized, contact security@athenaagentic.com and ask before proceeding. We would much rather answer a question in advance than learn of a problem after the fact.

3.4 No Third-Party Authorization

This Policy authorizes testing only of assets that Athena Agentic owns or operates. Athena Agentic cannot and does not grant you permission to test any system owned or operated by any third party, including any customer, vendor, subprocessor, or integration partner. You remain solely responsible for ensuring that you have all necessary authorizations before testing any system, and for compliance with all agreements and laws applicable to you.

4. Rules of Engagement

To remain authorized under Section 3, your research must comply with the following rules at all times.

4.1 Permitted Activities

When testing in-scope assets in good faith, you may:

  • test only your own accounts, data, and test artifacts, or accounts and data for which you have explicit, documented permission from the account holder;
  • create test accounts that you own to investigate multi-user or authorization behavior, provided you interact only with data belonging to those accounts;
  • develop and demonstrate a minimal, non-destructive proof-of-concept (PoC) sufficient to establish the existence and impact of a vulnerability, and no further;
  • view only the minimum amount of data necessary to confirm a vulnerability, and stop as soon as the vulnerability is confirmed;
  • use manual techniques and, where strictly necessary, lightly rate-limited automated tooling that does not degrade the Services (see Section 4.2(b)).

4.2 Prohibited Activities

You must not, at any time, do any of the following. Each of these is also addressed in the AUP and the Terms, which continue to apply:

(a) Denial-of-service / availability impairment: conduct any DoS or DDoS attack, volumetric flooding, resource-exhaustion test, or any activity intended or likely to degrade, disrupt, or impair the availability, integrity, or performance of the Services for any other person.

(b) Service-degrading automated scanning: run automated scanners, fuzzers, crawlers, or brute-force tools at a volume or rate that degrades the Services, generates excessive traffic, or interferes with normal operation. Throttle aggressively; if your tooling could affect availability, do not run it.

(c) Social engineering and phishing: engage in any social-engineering, phishing, vishing, smishing, or pretexting activity directed at Athena Agentic employees, contractors, customers, partners, suppliers, or any other person.

(d) Physical attacks: attempt physical access to, or physical testing of, any Athena Agentic facility, hardware, or personnel.

(e) Accessing data that is not yours: access, copy, download, retain, modify, corrupt, encrypt, delete, or exfiltrate any data that does not belong to you, including any personal data, customer data, credentials, secrets, or Confidential Information. If you inadvertently encounter such data, stop immediately, do not save or transmit it, and follow Section 4.3.

(f) Accessing another customer's tenant: access, attempt to access, or interact with any customer tenant, instance, workspace, or account other than your own test environment.

(g) Pivoting and persistence: use any access gained to pivot to other systems, escalate beyond what is necessary to demonstrate the vulnerability, install backdoors, establish persistence, or maintain access after reporting.

(h) Privacy and surveillance violations: intercept, monitor, or surveil communications, traffic, or data of others; deploy malware, ransomware, or any malicious code; or otherwise violate any person's privacy.

(i) Premature or public disclosure: disclose, publish, or share any vulnerability, exploit, PoC, or related information publicly or with any third party before coordinated disclosure is complete under Sections 6 and 7.

(j) Extortion and coercion: demand payment, threaten disclosure, or otherwise attempt to coerce Athena Agentic as a condition of reporting or withholding a vulnerability. Such conduct is not good-faith research, voids the Safe Harbor, and may constitute extortion under applicable law.

(k) AI-model misuse: attempt prompt extraction, model extraction, agent replication, reverse engineering, or use of outputs to train competing systems, as prohibited by AUP Sections 2.2, 2.3, and 3 (see Section 2.3).

4.3 If You Encounter Sensitive Data or Cause Unintended Impact

If, during good-faith testing, you inadvertently (a) access data that is not your own (including personal data or Confidential Information), (b) gain access beyond the minimum necessary, or (c) cause or risk causing service disruption, you must immediately:

1. stop the activity that caused or risks the impact; 2. avoid saving, copying, transmitting, or further accessing any data you were not authorized to access; 3. notify Athena Agentic without undue delay at security@athenaagentic.com, describing what occurred; and 4. cooperate with Athena Agentic's instructions, including securely deleting any inadvertently obtained data upon request and certifying such deletion.

Prompt, good-faith disclosure and cooperation under this Section will be considered favorably and, per Section 3.1(e), an accidental good-faith violation handled this way remains within the spirit of the Safe Harbor.

5. How to Report a Vulnerability

5.1 Reporting Channel

Report all suspected security vulnerabilities by email to:

security@athenaagentic.com

This is the authorized intake channel for vulnerability reports under this Policy. Please do not report security vulnerabilities through public channels such as social media, public issue trackers, support chat, or sales contacts, as doing so may expose the vulnerability before it can be remediated.

Our published machine-readable security contact information is available at `https://athenaagentic.com/.well-known/security.txt`, maintained in accordance with RFC 9116. That file is the authoritative source for our current security contact address, encryption key, policy link, and preferred languages. [Athena Agentic to confirm `security.txt` is published and kept current.]

5.2 What to Include

To help us validate and remediate quickly, please include as much of the following as you can:

  • Affected asset, the specific domain, subdomain, URL, IP address, API endpoint, or component affected, and confirmation that it is in scope under Section 2;
  • Vulnerability type, a clear description and, where applicable, the relevant classification (e.g., CWE identifier or OWASP category);
  • Reproduction steps, clear, step-by-step instructions to reproduce the issue, including any required preconditions, accounts, headers, parameters, or payloads;
  • Proof-of-concept, a minimal, non-destructive PoC (screenshots, request/response captures, short scripts, or a short video) sufficient to demonstrate the issue without accessing third-party or customer data;
  • Impact assessment, your assessment of the security impact and a realistic exploitation scenario, including any chained conditions;
  • Environment details, relevant tooling, browser/OS, timestamps (with time zone), and source IP address(es) you used, so we can correlate against our logs;
  • Your contact details, how you would like us to reach you, and whether you wish to be credited (see Section 6.5).

Reports in [English: Athena Agentic to confirm any additional supported languages] are preferred. One clearly written vulnerability per report is preferred; please file separate reports for unrelated issues.

5.3 Encryption (Optional)

If your report contains sensitive details, you may encrypt it. Our PGP/GPG public key and key fingerprint are published in our `security.txt` and at [link to public key: Athena Agentic to confirm]. Encryption is encouraged for high-severity findings but is not required to receive Safe Harbor protection.

5.4 Anonymous Reports

You may report anonymously. Note that anonymity may limit our ability to acknowledge you, provide status updates, request clarification, or offer recognition, and may make it harder to confirm that your activity qualified for the Safe Harbor. We will still investigate good-faith anonymous reports.

6. Our Commitments to You

When you submit a report in accordance with this Policy, Athena Agentic commits to the following. Timeframes are targets, measured in business days at Athena Agentic's principal place of business, and may vary with report volume, severity, and complexity.

6.1 Acknowledgement

We will acknowledge receipt of your report within [3: Athena Agentic to confirm] business days.

6.2 Triage and Validation

We will triage your report, work to validate and reproduce the issue, and assess its severity: for example using the Common Vulnerability Scoring System (CVSS) or a comparable internal rating. We may contact you for additional information; timely responses help us move faster.

6.3 Status Updates

We will provide an initial assessment, including whether we have validated the issue and its preliminary severity, within [10: Athena Agentic to confirm] business days of acknowledgement, and will provide periodic updates as remediation progresses. You are welcome to request a status update at any time.

6.4 Remediation and Coordinated Disclosure Timeline

We will work to remediate validated vulnerabilities in a timeframe commensurate with their severity and complexity. Our target for coordinated public disclosure is within [90: Athena Agentic to confirm] days of our acknowledgement of a validated report, subject to the coordination process in Section 7. We will keep you informed and will work with you in good faith on disclosure timing.

6.5 Recognition

With your consent, we are happy to publicly acknowledge your contribution: for example in a security acknowledgements or "hall of fame" page, in release notes, or in a security advisory. Tell us in your report how you would like to be credited (name, handle, organization, link), or that you prefer to remain anonymous. [Athena Agentic to confirm whether a public acknowledgements page is maintained and its location.]

6.6 No Monetary Bounty by Default

This Policy establishes a coordinated vulnerability disclosure program. It is not a paid bug-bounty program. Unless Athena Agentic agrees otherwise in a separate, express written agreement, Athena Agentic does not offer monetary rewards, bounties, or other compensation for reports submitted under this Policy, and no submission creates any obligation to pay. Submitting a report does not entitle you to any fee, reward, or other consideration. Athena Agentic may, in its sole discretion, choose to recognize exceptional contributions; any such recognition is voluntary and does not create an expectation of future awards. [Athena Agentic to confirm whether any bounty or rewards program is offered and, if so, to publish separate program terms.]

6.7 Confidentiality of Your Report

We will treat your report as confidential. We will not share your identity or personal information with third parties without your consent, except where required by law or legal process. We may share the technical details of your report internally and with affected vendors or partners strictly as needed to remediate the issue.

7. Coordinated Disclosure

7.1 Principle

Athena Agentic follows the principle of coordinated disclosure: we ask that you give us a reasonable opportunity to investigate and remediate a reported vulnerability before any public disclosure, and we commit to working with you on timing in good faith. This approach protects users while still allowing the community to learn from and benefit from your research.

7.2 No Public Disclosure Before Coordination

You agree not to disclose, publish, or otherwise make available to any third party any information about a reported vulnerability, including its existence, technical details, exploit code, or PoC, until the earlier of:

(a) Athena Agentic has confirmed that the vulnerability has been remediated (or that it has determined no remediation is warranted) and has authorized disclosure; or

(b) the expiration of the coordinated-disclosure period of [90: Athena Agentic to confirm] days from Athena Agentic's acknowledgement of your validated report, unless the parties have agreed in writing to extend it.

7.3 Coordinating Timelines and Extensions

Some vulnerabilities are complex, affect multiple components, or require coordination with third parties, and may take longer than the default period to remediate safely. In such cases we will tell you, explain why, and propose a revised timeline. We ask that you work with us in good faith on reasonable extensions. Conversely, where a vulnerability is being actively exploited or poses imminent risk, we may expedite.

7.4 Coordinated Publication

Where you wish to publish your research after coordinated disclosure, we welcome the opportunity to review the draft in advance, to coordinate timing, and, with your consent, to publish a corresponding advisory. We will not unreasonably restrict good-faith publication of your own original research following coordinated disclosure, provided it does not include Athena Agentic Confidential Information, customer data, personal data, or working exploit code that would put users at risk. [Athena Agentic to confirm whether it assigns or requests CVE identifiers and its advisory-publication practice.]

7.5 Premature Disclosure

Public disclosure before coordinated disclosure is complete is a violation of this Policy, voids the Safe Harbor in Section 3 as to that disclosure, and may expose users to harm. If you believe disclosure is necessary in the public interest before remediation, contact us first at security@athenaagentic.com so we can discuss.

8. Exclusions

The following are generally not eligible as security vulnerabilities under this Policy and, on their own, will typically be closed as informational. Where you can demonstrate a concrete, exploitable security impact, we welcome a report that shows that impact:

(a) reports from automated tools or scanners that have not been validated and lack a demonstrated, exploitable impact;

(b) vulnerabilities already known to Athena Agentic, previously reported by another party, or already in the process of being remediated;

(c) theoretical vulnerabilities, or findings based solely on best-practice recommendations, without a realistic, demonstrated exploitation path;

(d) missing security headers (e.g., Content-Security-Policy, HSTS, X-Frame-Options) without a demonstrated, exploitable impact;

(e) absence of, or weaknesses in, rate limiting, brute-force protection, or account-lockout, absent a demonstrated impact;

(f) reports of outdated software versions, weak TLS configurations, or supported-cipher findings without a working proof of exploitability;

(g) SPF, DKIM, or DMARC configuration findings, and email spoofing or deliverability concerns, without demonstrated impact;

(h) self-XSS, or issues that require an unlikely degree of user interaction, social engineering, or a fully compromised or jailbroken device or browser;

(i) clickjacking on pages with no sensitive state-changing actions, and missing "secure" or "httponly" cookie flags on non-sensitive cookies;

(j) descriptive error messages, stack traces, banner-grabbing, or version disclosure without sensitive information leakage;

(k) verbose user-enumeration findings of minimal sensitivity, and login/logout/email-verification CSRF;

(l) denial-of-service findings, resource-exhaustion findings, and any finding whose demonstration requires prohibited activity under Section 4.2;

(m) physical, social-engineering, and out-of-scope findings as described in Section 2.2;

(n) content, behavioral, "hallucination," or policy-output observations about the AI models, as opposed to bona fide security vulnerabilities (see Section 2.3);

(o) vulnerabilities affecting users of unsupported or end-of-life browsers, plugins, or operating systems.

This list is illustrative, not exhaustive. [Athena Agentic to confirm and maintain its current exclusions list, which may be published alongside this Policy.] Athena Agentic determines eligibility and severity in its reasonable discretion.

9. Relationship to the Acceptable Use Policy

The AUP prohibits unauthorized security testing of the Services and requires that security research and vulnerability disclosure be conducted under authorization from Athena Agentic. Specifically:

  • AUP Section 2.1 prohibits unauthorized penetration testing, vulnerability scanning, and security probing "without express written authorization from Athena Agentic";
  • AUP Section 4 ("Authorized Security Research") provides that authorized security research, including authorized penetration testing or vulnerability disclosure, must be conducted under authorization from Athena Agentic; and
  • AUP Section 5 ("Reporting Violations") encourages responsible disclosure of potential security vulnerabilities.

This Policy is the authorized channel that those AUP provisions contemplate. Good-faith security research conducted strictly within the scope (Section 2) and rules (Section 4) of this Policy is authorized for purposes of the AUP and the Terms, and is protected by the Safe Harbor in Section 3. To the extent of any conflict between this Policy and the AUP with respect to good-faith research on in-scope assets conducted under this Policy, this Policy controls for that research only.

All security testing that is outside the scope of this Policy, or that does not comply with its rules, remains unauthorized and is prohibited under the AUP and the Terms, regardless of intent. For authorization to conduct penetration testing or other assessment beyond the scope of this Policy (for example, against a customer environment or under a contractual engagement), contact Legal@athenaagentic.com to request a separate written authorization, as described in AUP Section 4.

10. Legal Terms

10.1 No Warranty; No Relationship Created

This Policy is provided for informational purposes and does not create any contract, partnership, joint venture, agency, employment, or fiduciary relationship between you and Athena Agentic. Participation under this Policy is voluntary. Nothing in this Policy obligates Athena Agentic to remediate any particular vulnerability on any particular timeline, to compensate you, or to take any specific action, except as expressly stated.

10.2 Intellectual Property and Confidentiality

This Policy does not grant you any license or right in or to any Athena Agentic intellectual property, trademark, trade secret, or Confidential Information, except the limited authorization to test in-scope assets in good faith as described herein. Any non-public information you obtain about the Services through your research, including vulnerability details prior to coordinated disclosure, is Athena Agentic Confidential Information and must be handled in accordance with Sections 4, 7, and the confidentiality obligations of the Terms. By submitting a report, you grant Athena Agentic a perpetual, irrevocable, worldwide, royalty-free, sublicensable license to use, reproduce, modify, and act upon the contents of your report for any lawful purpose, including remediating the vulnerability and improving the Services, without restriction or obligation to you. You represent that your submission is your original work and that you have the right to submit it.

10.3 Privacy

Any personal information you provide in a report (such as your name and contact details) will be processed in accordance with the Athena Agentic Privacy Policy and used to administer this Policy: to communicate with you, investigate and remediate the report, and, with your consent, provide recognition. Privacy questions may be directed to Privacy@athenaagentic.com.

10.4 Governing Law

This Policy and any dispute, controversy, or claim arising out of or relating to it shall be governed by and construed in accordance with the laws of the State of New York, United States of America, without regard to its conflict-of-law rules. This governing-law provision aligns with, and is to be read consistently with, the governing-law and dispute-resolution provisions of the Terms.

10.5 Dispute Resolution

Any dispute arising out of or relating to this Policy shall be resolved in accordance with the dispute-resolution provisions of the Terms (including informal resolution, mandatory mediation, and binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules in New York, New York, and the class-action and jury-trial waivers therein), which are incorporated into this Policy by reference.

10.6 Reservation of Rights; Immediate Equitable Relief

Athena Agentic reserves all legal rights with respect to any activity that falls outside the scope of, or fails to comply with, this Policy, and nothing in this Policy waives any such right. Consistent with the Terms and the AUP, and notwithstanding Section 10.5, Athena Agentic retains the unconditional right to seek and obtain immediate injunctive and other equitable relief from any court of competent jurisdiction, without prior notice and without first completing any mediation or arbitration requirement, in connection with any actual or threatened: (a) infringement or misappropriation of Athena Agentic's intellectual property, trade secrets, or Confidential Information; (b) unauthorized access to, or exploitation of, the Services; (c) reverse engineering, model extraction, prompt extraction, agent extraction, or competitive replication activity; (d) unauthorized scraping or data extraction; (e) breach of confidentiality; or (f) activity that threatens the security of the Services, Athena Agentic's customers, or their data, or that threatens irreparable harm. Seeking such relief does not waive any right to arbitration.

10.7 No Waiver

No failure or delay by Athena Agentic in exercising any right under this Policy operates as a waiver, and no single or partial exercise precludes any other or further exercise of that or any other right. Athena Agentic's decision to authorize good-faith research under this Policy is not a waiver of any right with respect to non-conforming or out-of-scope conduct.

10.8 Severability

If any provision of this Policy is held invalid, illegal, or unenforceable, that provision shall be modified to the minimum extent necessary to make it enforceable, and the remaining provisions shall remain in full force and effect.

10.9 Changes to This Policy

Athena Agentic may modify this Policy at any time. The "Last updated" date above reflects the most recent revision. Changes are effective when posted. The version of this Policy in effect at the time of your research governs that research. We encourage you to review the current Policy, and the published `security.txt`, before beginning any testing.

11. Contact

Report security vulnerabilities to:

Security reports: security@athenaagentic.com Machine-readable contact: `https://athenaagentic.com/.well-known/security.txt` (RFC 9116)

For related matters:

  • Legal and authorization requests beyond this Policy's scope: Legal@athenaagentic.com
  • Privacy questions: Privacy@athenaagentic.com
  • General product support: Support@athenaagentic.com

Thank you for helping keep Athena Agentic, our customers, and the broader security community safe.

*This Vulnerability Disclosure Policy is a draft prepared for review by Athena Agentic's licensed legal counsel and authorized representatives. It must be reviewed, completed (including all bracketed items), and approved before publication and enforcement.*

Source of truth: /docs/legal/VulnerabilityDisclosurePolicy.md  ·  All legal documents