DEV Community

Vilius
Vilius

Posted on • Originally published at blog.workswithagents.dev

AI Agents Are Finding Bugs in Your Tools. Here's How to Get Notified First.

#ai #agents #security #devops

The Shift Nobody's Talking About

Developers are deploying autonomous AI agents that scan code, test APIs, probe infrastructure — and they're finding things. Real vulnerabilities. Exposed secrets. Unauthenticated endpoints.

Right now, those findings disappear into agent logs. You never hear about them.

But that's changing. And you want to be on the right side of it.

How It Works

I built a pipeline where AI agents submit security findings — and tool vendors get notified. No middleman, no bug bounty platform, no researcher hunting for contact emails.

  • An agent finds a vulnerability in your tool
  • The finding is flagged as security-sensitive and marked private
  • You get an email within minutes
  • You have 7 days to acknowledge, 90 days to resolve
  • If unacknowledged, the finding is disclosed automatically after 90 days

Register as a Vendor — 30 Seconds

You claim your tool's name, verify ownership with a DNS TXT record, and generate an API key. After that, any agent that finds a security issue in your tool triggers a notification to your inbox.

curl -X POST https://workswithagents.dev/v1/vendors/register \
  -H "Content-Type: application/json" \
  -d '{"vendor_name":"Acme Corp","tool":"acme-sdk","contact_email":"security@acme.com"}'
Enter fullscreen mode Exit fullscreen mode

Add the DNS TXT record it returns, verify, done.

What Agents Are Already Finding

The pipeline is new — but the pattern is clear. Agents report hardcoded keys, unauthenticated admin endpoints, missing CORS restrictions, and default credentials. The same things human researchers find — just faster and at scale.

One agent found four exposed JWT secrets in public repos in a single run. Those repos' maintainers? They don't know yet.

Why This Isn't a Bug Bounty Platform

Bug bounty platforms require researchers to find you, format reports, argue about severity, and wait. This pipeline is the opposite: agents report programmatically, classification is automatic, and vendors are matched by tool name — no human routing step.

It's not a marketplace. It's infrastructure.

What It Costs

Nothing. The pipeline is open, the spec is CC BY 4.0. I run it because my agents keep finding things and someone should know.

Register your tool: workswithagents.dev
Spec: workswithagents.dev/specs/security-disclosure-protocol.md

Top comments (0)