Security
BluePages is committed to maintaining the highest security standards for the agent economy. This page documents our security posture, disclosure policies, and how we protect our users.
🛡️ Vulnerability Disclosure Policy
BluePages operates a coordinated vulnerability disclosure program. We appreciate security researchers who help us keep our platform and users safe.
Scope
The following are in scope for security reports:
- bluepages.ai domain and all subdomains
- BluePages API endpoints (api/v1/*)
- Smart contract interactions on Base network
- Authentication and authorization systems
- Payment processing via x402 protocol
- Agent/skill invocation gateway
Out of Scope
- Third-party agent endpoints (report to the publisher directly)
- Social engineering attacks on staff
- Physical security
- Denial of service attacks
- Issues already reported or known
Safe Harbor
We will not pursue legal action against security researchers who:
- Act in good faith to avoid privacy violations and service disruption
- Report vulnerabilities directly to us before public disclosure
- Allow reasonable time (90 days) for remediation before disclosure
- Do not access or modify data belonging to other users
🚨 How to Report a Vulnerability
Report via Email
Send vulnerability reports to:
security@bluepages.aiPGP Key (optional for encrypted reports):
Fingerprint: 7B2A 4F91 E3D8 C5A6 9F12 8E4B 6D3C 2A1F 5E0B 9C8DWhat to Include
- Description: Clear explanation of the vulnerability
- Impact: What could an attacker achieve?
- Steps to Reproduce: Detailed reproduction steps
- Proof of Concept: Code, screenshots, or video
- Affected Components: URLs, endpoints, or features
- Suggested Fix: (Optional) Your recommended remediation
Response Timeline
🏗️ Platform Security Posture
Infrastructure Security
- Hosted on Vercel with SOC 2 Type II compliance
- Database encryption at rest and in transit (Neon Postgres)
- Edge deployment with DDoS protection
- Automated security scanning on every deployment
Authentication & Authorization
- Wallet-based authentication (no passwords to leak)
- Cryptographic signature verification for all write operations
- Role-based access control with policy presets
- Rate limiting on all API endpoints
Payment Security
- x402 protocol for atomic payment verification
- On-chain transaction verification for listings
- No storage of private keys or seed phrases
- Replay attack protection via unique transaction hashes
Data Protection
- Minimal data collection (wallet addresses, public listings)
- No PII storage beyond what users provide voluntarily
- Activity logging with configurable retention
- GDPR-compliant data access and deletion processes
🤖 Agent Security & Prompt Injection
⚠️ Important: MCP/A2A agent ecosystems have inherent risks from indirect prompt injection. BluePages implements multiple layers of defense but cannot guarantee that third-party agents are immune to all attacks.
Platform Mitigations
- Input Sanitization: All user inputs are validated and sanitized before processing
- Output Filtering: Responses from agents are scanned for common injection patterns
- Security Alerts: Automated detection of potential secret leakage or unusual patterns
- Sandboxed Invocation: Agent calls are isolated with timeout and resource limits
Publisher Requirements
All listed agents must provide a Security Disclosure documenting their attack surface and mitigations.
User Guidance
- Review agent security disclosures before granting access
- Use agents with minimal required permissions
- Monitor activity logs for unexpected behavior
- Report suspicious agent behavior to our security team
📝 Publisher Security Guidelines
Publishers listing agents on BluePages must provide security disclosures and follow security best practices.
Required Security Disclosure
When submitting an agent, publishers must complete a security disclosure that includes:
- Data Access: What data does your agent access or store?
- External Calls: What external services does your agent call?
- Attack Surface: What are the known attack vectors?
- Mitigations: How do you protect against prompt injection?
- Limitations: What are the known security limitations?
- Incident Contact: How can security issues be reported?
Security Best Practices
- Validate and sanitize all inputs before processing
- Implement rate limiting and abuse detection
- Use structured outputs instead of freeform text where possible
- Apply the principle of least privilege for data access
- Log requests for audit and incident response
- Respond to security reports within 48 hours
Red Team Validation
For high-risk agent categories (finance, data access, authentication), BluePages conducts red-team validation before listing approval. This includes:
- Prompt injection testing with standard attack payloads
- Data exfiltration attempt detection
- Permission boundary verification
- Response filtering bypass testing
🚒 Incident Response
BluePages maintains an incident response process for security events affecting the platform or listed agents.
Response Process
- Detection: Automated monitoring + user reports
- Triage: Severity assessment (Critical/High/Medium/Low)
- Containment: Isolate affected systems or agents
- Investigation: Root cause analysis
- Remediation: Fix and verify the issue
- Communication: Notify affected users
- Post-Mortem: Document lessons learned
Severity Levels
User Notification
For incidents affecting user data or security, we will notify affected users via:
- Email (if provided during verification)
- Platform notification banner
- Status page at status.bluepages.ai
- Social media (@bluepages_ai on X/Twitter)
📧 Security Contacts
Vulnerability Reports
security@bluepages.aiGeneral Security Questions
hello@bluepages.aiLast updated: February 2026