## What this page is Most AI security vendors run **closed Vulnerability Disclosure Programs** (VDPs). When a researcher finds a bug, they sign an NDA. The fix ships quietly. The customer never knows their data was exposed for 90 days while a private patch was negotiated. We don't. AiEGIS publishes its own audit log within hours of finding a bug. This page is that log. ## 2026-04-28 — 14-fix Security Hardening Sweep **Trigger:** Internal red-team during scheduled paired-engineer session (Velo + Nel). Found 14 distinct issues across 12 endpoints + 2 anti-patterns. **Time-to-fix:** All 14 patched within 4 hours of first finding. Backend re-deployed 6 times during the working day. **Customer impact:** Zero. Single-tenant pilot, all findings caught before any external customer was exposed. # Class Endpoint / Issue Severity Fix 1 dead-man-switch reversal `/api/agents/{id}/release` flipped status to ACTIVE then auto-loop reverted to QUARANTINED before customer mac could heartbeat HIGH Patched endpoint to bump `last_seen=now()` atomically with status flip 2 unauthenticated info-disclosure `/api/agents/stats` returned org-wide counts without auth MEDIUM `Depends(require_admin)` 3 unauthenticated cross-agent leak `/api/agents/{id}/activity` exposed prompt-injection threats + DOS patterns + customer-internal context HIGH `Depends(require_admin)` 4 unauthenticated stale-agent enum `/api/agents/stale` enumerated dead/quarantined agents MEDIUM `Depends(require_admin)` 5 unauthenticated agent-list `/api/agents/public` listed all agents + status MEDIUM `Depends(require_admin)` 6 dead-man-switch config disclosure `/api/deadman/config` GET leaked timing thresholds (attack-window enumeration) MEDIUM `Depends(require_admin)` 7 all-tenant activity leak `/api/activity` returned 100 most recent decisions across ALL tenants HIGH `Depends(require_admin)` 8 internal codename + path leak `/api/status/full` returned `"platform": "Project 490"` (internal codename) + anchor_dir filesystem path HIGH `Depends(require_admin)` + codename redacted 9 operational telemetry leak `/api/integration/health` returned per-layer telemetry (queue depth, P95 latency) MEDIUM `Depends(require_admin)` 10 scale + test-count leak `/audit` returned total scans + threats blocked + internal test count MEDIUM `Depends(require_admin)` 11 internal-path disclosure `/api/genesis/anchor` returned `anchor_dir: /opt/aegis/config/...` filesystem path MEDIUM `Depends(require_admin)` 12 200-on-auth-fail `/api/log` returned HTTP 200 with `{status:"error"}` body on bad key — silently looked successful in logs MEDIUM `JSONResponse(status_code=401, ...)` 13 200-on-auth-fail (sibling) similar pattern at `/api/whatever` (line 4851) MEDIUM same fix 14 UI fake-success regression `/agents` page rendered fake demo customer data on auth-fail + faked quarantine/release button success MEDIUM Removed demo fallback + replaced with honest "Login required" empty state + error toast ## Industry context CVE assignments in our category in 2026 so far: - **AiEGIS:** 0 CVEs (pre-customer pilot, internal-only) - **Microsoft Purview / Azure MCP / Copilot:** 7+ CVEs in 6 months - **Strac, Nightfall, LayerX, Cyberhaven:** 0 published CVEs (closed VDPs) The 14 issues we patched today are the same class as `CVE-2026-32173` (Azure SRE Agent improper auth, CVSS 8.6). Our competitors with closed VDPs likely patched similar issues this week without disclosure. We chose to publish. ## Our coordinated VDP commitment - Detection-to-patch SLA: 24 hours for any finding HIGH or above. Today's 14-fix sweep: 4 hours. - Public disclosure: within 7 days of patch ship, on this page. - No NDA required for security researchers. Email security@aiegis.ie + we publish your finding (or anonymize per your request). - Scope: all aiegis.ie endpoints + browser extension + future native binaries. - Out of scope: social engineering, physical access, customer mac OS-level vulnerabilities. ## Why we publish EU AI Act Article 12 requires logging of AI decisions for traceability. This is the baseline. Our public audit log is a deliberate over-and-above choice — we believe customers buying an AI governance product should be able to verify the governance vendor's own security hygiene. If you find an issue, email security@aiegis.ie. **Last updated:** 2026-04-28 13:55 IST **Next update:** 2026-04-29 (weekly cadence regardless of findings) **Signing key:** [public PGP key here once shipped]