Security

reporting a vulnerability

if you've found a security vulnerability in inference.sh or belt.sh, we want to hear about it.

email: [email protected]

please include:

  • description of the vulnerability
  • steps to reproduce
  • affected component (api, cli, web, skills, agents)
  • impact assessment (what an attacker could do)

we will acknowledge your report within 48 hours and aim to provide a fix timeline within 5 business days.

reporting abuse

for abuse reports (malicious skills, apps, or agents):

email: [email protected]

for dmca takedown requests:

email: [email protected]

what we protect

  • all skill content is scanned by our security scanner (INF-SEC rules) before serving
  • credentials detected in skill content or agent output are automatically redacted
  • hook tool URLs are validated (https required, no localhost)
  • critical security findings block skill publishing automatically
  • credential patterns are sourced from gitleaks and updated at startup

scope

the following are in scope for security reports:

  • inference.sh api and web application
  • belt.sh web application
  • belt cli
  • skill store and registry
  • agent runtime and execution
  • mcp connector proxy
  • authentication and authorization

the following are out of scope:

  • third-party app provider vulnerabilities (report to the provider directly)
  • social engineering attacks
  • denial of service attacks
  • issues in dependencies already reported upstream

disclosure policy

  • we follow coordinated disclosure — please give us reasonable time to fix before publishing
  • we will not pursue legal action against researchers acting in good faith
  • we credit researchers in our changelog (unless you prefer anonymity)

security.txt

our machine-readable security contact is at /.well-known/security.txt

policies

we maintain comprehensive security, incident response, data classification, vendor management, business continuity, and change management policies. full policy documents are available on request — contact [email protected].

we use cookies

we use cookies to ensure you get the best experience on our website. for more information on how we use cookies, please see our cookie policy.

by clicking "accept", you agree to our use of cookies.
learn more.