Security
Last updated: June 2026
BMD Pat LLC welcomes good-faith vulnerability reports for BMD Pat owned public software and web surfaces. If you believe you found a security issue, email pat@bmdpat.com. The machine-readable disclosure contact is also published at /.well-known/security.txt.
Vulnerability disclosure policy
This page and the security.txt file are report channels only. This page does not grant permission for intrusive testing, denial of service, spam, social engineering, or access to data that is not yours.
In scope
- bmdpat.com public pages, APIs, newsletter, and intake flows
- app.agentguard47.com account, dashboard, and billing flows
- AgentGuard open-source packages, documentation, and MCP package surfaces owned by bmdhodl
- 5090 Reports public artifact and feed surfaces
Out of scope
- Denial-of-service, load, spam, or high-volume scanner tests
- Phishing, social engineering, physical attacks, or third-party accounts
- Destructive tests, data exfiltration, or persistence attempts
- Issues in services we do not own unless they expose BMD Pat data
Good-faith testing rules
- Use your own test account and the minimum requests needed.
- Stop immediately and report if you encounter non-public data, secrets, or access to another user's account.
- Do not modify, delete, retain, or share data that does not belong to you.
- Avoid public disclosure until we have investigated and remediated the issue.
What to include in a report
- Affected URL, package, version, or API route
- Steps to reproduce and the expected versus actual behavior
- Impact, including what data or action could be exposed
- Logs, screenshots, or proof of concept details that avoid secrets and other users' data
Response
We aim to acknowledge security reports within 2 business days, then investigate based on severity. We will coordinate remediation and can credit the reporter if requested. BMD Pat LLC does not currently run a paid bug bounty program.
Report handling
Security reports are used to investigate and remediate the issue, then retained as security records. Do not send secrets, personal data, or customer data unless it is strictly required to explain the issue.