Hermes Plant logo

Hermes Plant

Pay-per-call finance APIs for AI agents

Open navigation

Security

Vulnerability disclosure

Report suspected vulnerabilities in Hermes Plant storefront, API, checkout, authentication, entitlement, x402, or agent-service surfaces to contact@hermesplant.com.

What to include

  • The affected URL, endpoint, product, or payment surface.
  • Steps to reproduce with the minimum data required.
  • Observed impact, including account, payment, or data exposure risk.
  • Any request IDs, timestamps, headers, or sanitized logs that help triage.

Scope

In scope: hermesplant.com, public API routes, authentication flows, Stripe checkout handoff, x402 purchase routes, entitlement checks, machine-readable discovery files, and the public MCP route.

Out of scope: denial-of-service testing, social engineering, spam, physical attacks, and reports that require accessing another customer's data beyond a harmless proof.

Machine-readable policy

The canonical disclosure file is /.well-known/security.txt. The legacy /security.txt path redirects there.