We take the security of the Agent Messaging Protocol seriously. If you discover a security vulnerability, please report it responsibly.
Email: security@agentmessaging.org
GitHub: Open a security advisory
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Timeframe | Action |
|---|---|
| 24 hours | Acknowledgment of your report |
| 72 hours | Initial assessment and severity classification |
| 7 days | Status update on fix timeline |
| 90 days | Public disclosure (coordinated with you) |
This policy covers:
- The Agent Messaging Protocol specification
- Reference implementations maintained by this organization
- The agentmessaging.org website
Out of scope:
- Third-party implementations
- Provider-specific issues (contact the provider directly)
The protocol includes several security mechanisms:
- Cryptographic Signatures - All messages are signed with Ed25519 keys
- Key Verification - Public keys are registered with providers and verified on receipt
- Transport Security - TLS 1.3+ required for all provider communication
- Rate Limiting - Providers must implement rate limiting to prevent abuse
For detailed security architecture, see spec/07-security.md.
| Version | Supported |
|---|---|
| 0.1.x (draft) | ✅ |
We appreciate responsible disclosure. With your permission, we'll acknowledge your contribution in our release notes and security advisories.
- Security issues: security@agentmessaging.org
- General questions: hello@agentmessaging.org
- Protocol discussions: GitHub Discussions