Report security vulnerabilities to security@agentralabs.tech.

DO NOT open public issues for security vulnerabilities.

We follow a responsible disclosure process:

1. Report the vulnerability via email to security@agentralabs.tech
2. Include a clear description, reproduction steps, and impact assessment
3. We will acknowledge receipt within 48 hours
4. We will provide an initial assessment within 7 business days
5. We will coordinate a fix and disclosure timeline with you

We care about:

• Cross-session data leakage -- .areal files exposing state from other sessions
• Reality file integrity -- tampering with deployment souls, reality anchors, or coherence state
• MCP server sandbox bypasses -- unauthorized access to system resources via MCP tools
• Privilege escalation -- gaining elevated access through the CLI or MCP server
• Memory safety -- buffer overflows, use-after-free, or other memory corruption
• Authentication bypass -- circumventing AGENTIC_TOKEN auth on server profiles
• Topology information disclosure -- leaking network topology or neighbor state

• Issues in dependencies (report directly to the dependency maintainer)
• Social engineering attacks
• Denial of service via expected high-load scenarios