Now accepting new firms for the Spring 2026 cohort.Request AccessNow accepting new firms for the Spring 2026 cohort.Request AccessNow accepting new firms for the Spring 2026 cohort.Request AccessNow accepting new firms for the Spring 2026 cohort.Request AccessNow accepting new firms for the Spring 2026 cohort.Request AccessNow accepting new firms for the Spring 2026 cohort.Request Access

Security

Security & Vulnerability Disclosure

Effective date: May 9, 2026 · Last updated: May 9, 2026

1. Reporting a Vulnerability

AgentCore LLC (doing business as "Dale") welcomes reports from security researchers, customers, and members of the public regarding suspected security vulnerabilities affecting the Dale platform, our public marketing site at dale.legal, our APIs, or any other infrastructure operated by AgentCore LLC.

To report a suspected vulnerability, please email security@dale.legal. Where feasible, please include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce the issue, including any URLs, payloads, or proof-of-concept code.
  • The version, environment, or component affected (e.g., production, staging).
  • Your name or handle and any preferred contact information for follow-up. Anonymous reports are accepted.

We aim to acknowledge new reports within three (3) business days. Severity assignment, remediation timelines, and any communications to affected parties are governed by our internal Incident Response Plan.

2. Safe Harbor for Good-Faith Research

AgentCore LLC will not pursue legal action against, or initiate law-enforcement investigation of, security researchers who report vulnerabilities to us in good faith and in accordance with this policy. To qualify for safe harbor, your research must:

  • Avoid any privacy violation, degradation of user experience, disruption of production systems, or destruction or modification of data belonging to AgentCore LLC or its customers.
  • Use only your own accounts, or accounts for which you have explicit written permission from the account owner, when testing.
  • Not access, download, modify, or retain data belonging to other users beyond the minimum necessary to demonstrate the vulnerability. Stop testing and report immediately upon encountering any such data.
  • Not perform denial-of-service attacks, social engineering against AgentCore personnel or customers, physical attacks against AgentCore property, or attacks against third-party services or sub-processors used by AgentCore.
  • Give AgentCore LLC a reasonable opportunity to remediate the issue before any public disclosure. Coordinated disclosure timelines are typically ninety (90) days from acknowledgment, or earlier by mutual agreement.
  • Comply with all applicable laws.

Activities consistent with this policy will be considered authorized for purposes of the U.S. Computer Fraud and Abuse Act ("CFAA"), the Digital Millennium Copyright Act ("DMCA"), and analogous state and foreign computer-misuse statutes, and we will not bring a civil claim against you for those activities. If a third party initiates legal action against you in connection with research conducted under this policy, we will take steps to make it known that your actions were authorized.

3. Scope

3.1 In scope

  • The Dale application and its production APIs (any host on dale.legal or *.dale.legal operated by AgentCore LLC).
  • The public marketing website at https://dale.legal.
  • The Trust Center at https://trust.dale.legal.
  • The status site at https://status.dale.legal.
  • Source code in repositories owned by the agentcore-llc organization on GitHub that is publicly available.

3.2 Out of scope

The following are explicitly excluded from this program. Reports limited to these classes will be acknowledged but typically closed without action:

  • Findings against third-party services, sub-processors, or open-source dependencies that are not under AgentCore LLC's direct control. Please report those upstream to the affected provider.
  • Volumetric or denial-of-service attacks, brute-force or rate-limiting probes, and any test that materially degrades service availability for other users.
  • Social-engineering attacks against AgentCore personnel, contractors, or customers.
  • Physical attacks against AgentCore property or personnel.
  • Reports based solely on automated scanner output without a demonstrated impact (e.g., missing security headers, cookie flag preferences, software-version banners) unless paired with a working exploit.
  • Self-XSS, clickjacking on pages with no sensitive actions, missing best-practice headers without an exploitable consequence, and other low-impact informational findings.
  • Issues affecting end-of-life browsers or operating systems no longer receiving security updates.

4. What We Do Not Offer

AgentCore LLC does not currently operate a paid bug bounty program, and we do not offer monetary rewards or swag for vulnerability reports. We are, however, happy to publicly credit researchers who responsibly disclose qualifying issues — please indicate in your report whether you would like attribution and how you would like to be credited.

5. Continuous Vulnerability Management

In addition to accepting external reports, AgentCore LLC operates the following continuous internal controls:

  • Dependency scanning. GitHub Dependabot is enabled across all production repositories and runs on every commit, alerting on known vulnerable packages with severity-based remediation SLAs.
  • Code scanning. Automated static analysis runs on pull requests via GitHub Actions, including secret-detection and dependency-review workflows.
  • Container and infrastructure scanning. AWS Inspector continuously evaluates production workloads for known vulnerabilities and misconfigurations.
  • Continuous compliance monitoring. Vanta provides continuous control testing across our SOC 2 program, including verification that vulnerability scanning remains enabled and that High and Critical findings are remediated within policy SLAs.
  • Independent third-party testing. Periodic third-party penetration testing is part of our security roadmap and will be conducted in line with SOC 2 observation requirements; findings will be tracked to remediation through our standard vulnerability management process.

Customers and prospects with active NDAs may request our current SOC 2 readiness summary and Sub-processor list (and, once issued, our SOC 2 report and most recent penetration test summary) through our Trust Center or by emailing security@dale.legal.

6. Related Policies & Resources

  • Trust Center — live security posture and continuous controls monitoring.
  • Privacy Policy — how AgentCore LLC handles personal information and customer data.
  • Data Processing Agreement — customer-facing commitments on data handling, sub-processors, and security measures.
  • Terms of Use — the legal agreement governing use of the Dale platform.

7. Updates to This Policy

We may update this policy from time to time to reflect changes in our security program, scope, or contact information. The "Last updated" date at the top of this page reflects the most recent revision. Material changes will be summarized in our public change log.

8. Contact

AgentCore LLC
Attn: Security
Email: security@dale.legal