If you discover a security vulnerability in AgentBus, please report it responsibly.

Do NOT open a public issue.

Instead, email us at: security@agentbus.dev

We will acknowledge receipt within 48 hours and provide a detailed response within 5 business days.

• We will confirm the vulnerability and determine its impact.
• We will release a fix as soon as possible.
• We will credit the reporter (unless they prefer to remain anonymous).

When using AgentBus:

1. Always validate webhook signatures (HMAC-SHA256).
2. Never commit .env files or API keys to your repository.
3. Use TLS for all agent communication.
4. Enable authentication on the webhook ingestion API.
5. Monitor the dead letter queue for failed events.