Our commitment
Applied Theory LLC takes the security of the AEGIS platform seriously. We are a security company — we build governance infrastructure for AI agents precisely because accountability and tamper-evident auditability matter. We hold ourselves to the same standard.
If you have discovered a potential security vulnerability in the AEGIS platform, we want to hear from you. We are committed to working with security researchers and the broader community to investigate and resolve issues quickly and transparently.
How to report a vulnerability
For reports containing sensitive data — credential fragments, CCR record contents, AIM YAML files, or any data extracted from AEGIS systems — please encrypt your submission using our PGP public key.
Please include in your report:
- A clear description of the vulnerability and its potential impact
- Steps to reproduce, including any proof-of-concept code or screenshots
- The AEGIS component or endpoint affected (see Scope below)
- Your contact information for follow-up
What to expect from us
| Milestone | Target |
|---|---|
| Acknowledgment of your report | Within 24 hours |
| Initial triage and severity assessment | Within 5 business days |
| Status update during investigation | Every 14 days |
| Resolution or workaround communicated | Severity-dependent |
| Public advisory published (if applicable) | Coordinated with you |
We treat all reports as confidential. We will not share your identity or contact information with third parties without your explicit permission.
Safe harbor
Applied Theory LLC will not pursue legal action against researchers who:
- Discover and report vulnerabilities in good faith under this policy
- Avoid accessing, modifying, or exfiltrating data beyond what is necessary to demonstrate the vulnerability
- Do not exploit a vulnerability for purposes beyond demonstration
- Do not disrupt AEGIS services or the operations of customers using the platform
- Provide us with reasonable time to investigate and remediate before public disclosure
We consider good-faith security research to be a contribution to the security community and to the integrity of the AEGIS platform.
Coordinated disclosure
We ask that researchers allow Applied Theory LLC 90 days from the date of initial report to investigate, remediate, and prepare any necessary advisories before public disclosure. If a vulnerability is particularly severe or complex, we will communicate openly about timeline extensions and work with you on a coordinated disclosure plan.
If a critical vulnerability is actively being exploited in the wild, we reserve the right to accelerate remediation and disclosure timelines.
Scope
In scope Please report issues here
- AEGIS platform APIs and authentication endpoints
- AIM (Agent Identity Manifest) parsing, signing, and validation pipeline
- CCR (Contextual Compliance Record) ledger integrity — hash chain, KMS signature verification, INSERT-only enforcement
- MCP Security Gateway — replay detection, manifest change detection, injection scanning
- AEGIS Data Source Proxy Layer — proxy token issuance, credential isolation, query inspection
- Zone 1 enforcement — capability checker, parameter validator, rate limiter, output inspector
- AEGIS Control Plane API — agent registry, incident response endpoints
- Authentication, authorization, and session management across all AEGIS services
- Injection vulnerabilities (SQL, command, prompt) in any AEGIS component
- Cryptographic weaknesses in AIM signing (RS256) or CCR hash chain (SHA-256)
Out of scope Please do not test or report
- Denial of service (DoS/DDoS) attacks against AEGIS infrastructure
- Social engineering of Applied Theory LLC employees or contractors
- Physical security of Applied Theory LLC facilities
- Vulnerabilities in third-party services or infrastructure we do not control
- Issues in customer-deployed environments or customer-managed AEGIS configurations
- Vulnerabilities already known to us or previously reported
- Findings from automated scanners without evidence of exploitability
Security posture
Applied Theory LLC applies the following security standards to the AEGIS platform.
Cryptography
- AIM behavioral contracts: RS256 (RSA-PKCS1v15 + SHA-256), keys generated and stored in HSM/KMS only
- CCR ledger: SHA-256 hash chain per record, KMS-signed before INSERT
- Data in transit: TLS 1.3 minimum across all services and zone-to-zone (mTLS)
- Data at rest: AES-256 encryption
Credential & secret management
- AI applications receive short-lived proxy tokens only — real database credentials are never issued to the AI layer
- No credentials, secrets, or API keys in application source code or configuration files
- Secrets managed via KMS; rotated through the Zone 4 Control Plane
Audit integrity
- The CCR ledger is INSERT-only at the database grant level — no UPDATE or DELETE is permitted
- Every CCR record is KMS-signed and SHA-256 hash-chained to the prior record
- External WORM anchoring available for regulated deployments
Security testing & compliance
- Security-critical modules maintain 100% test coverage as a hard CI/CD gate
- Penetration testing conducted on a regular cadence
- Aligned with NSA MCP CSI, OCC SR 11-7, NIST AI RMF, EU AI Act Article 14, IMO MSC.428(98); SOC 2 Type II in progress
Security advisories
Applied Theory LLC publishes security advisories for vulnerabilities that affect the confidentiality, integrity, or availability of the AEGIS platform. Advisories are listed as they are issued.
No advisories have been issued to date.
Contact
This policy is effective as of May 2026 and will be updated as the platform evolves.