If you discover a security vulnerability in any Floe Labs repository, do not open a public issue. Instead:
- Email: security@floelabs.xyz
- Include: description of the vulnerability, steps to reproduce, and potential impact
- Response time: We will acknowledge receipt within 48 hours and provide a detailed response within 7 business days
Floe's smart contracts have been audited by Omniscia:
Additional internal security reviews have been conducted for the operator delegation pattern (Upgrade #12) and the x402 facilitator (SSRF hardening, reservation state machine).
| Component | Version | Supported |
|---|---|---|
| Smart contracts (Base mainnet) | Upgrade #12 | ✅ |
| Credit API | 0.1.x | ✅ |
AgentKit (npm floe-agent) |
0.2.x | ✅ |
AgentKit (PyPI floe-agentkit-actions) |
0.2.x | ✅ |
MCP Server (@floelabs/mcp-server) |
0.1.x | ✅ |
We follow responsible disclosure practices. We ask that you:
- Give us reasonable time to fix the issue before public disclosure
- Make a good-faith effort to avoid privacy violations, data destruction, and service interruption
- Do not access or modify other users' data
We will not pursue legal action against researchers who follow this policy.