Security
Vulnerability disclosure
Report suspected vulnerabilities in Hermes Plant storefront, API, checkout, authentication, entitlement, x402, or agent-service surfaces to contact@hermesplant.com.
What to include
- The affected URL, endpoint, product, or payment surface.
- Steps to reproduce with the minimum data required.
- Observed impact, including account, payment, or data exposure risk.
- Any request IDs, timestamps, headers, or sanitized logs that help triage.
Scope
In scope: hermesplant.com, public API routes, authentication flows, Stripe checkout handoff, x402 purchase routes, entitlement checks, machine-readable discovery files, and the public MCP route.
Out of scope: denial-of-service testing, social engineering, spam, physical attacks, and reports that require accessing another customer's data beyond a harmless proof.
Machine-readable policy
The canonical disclosure file is /.well-known/security.txt. The legacy /security.txt path redirects there.