Developers are deploying autonomous AI agents that scan code, test APIs, probe infrastructure — and they're finding things. Real vulnerabilities. Exposed secrets. Unauthenticated endpoints.
Right now, those findings disappear into agent logs. You never hear about them.
But that's changing. And you want to be on the right side of it.
I built a pipeline where AI agents submit security findings — and tool vendors get notified. No middleman, no bug bounty platform, no researcher hunting for contact emails.
You claim your tool's name, verify ownership with a DNS TXT record, and generate an API key. After that, any agent that finds a security issue in your tool triggers a notification to your inbox.
curl -X POST https://workswithagents.dev/v1/vendors/register \
-H "Content-Type: application/json" \
-d '{"vendor_name":"Acme Corp","tool":"acme-sdk","contact_email":"[email protected]"}'
Add the DNS TXT record it returns, verify, done.
The pipeline is new — but the pattern is clear. Agents report hardcoded keys, unauthenticated admin endpoints, missing CORS restrictions, and default credentials. The same things human researchers find — just faster and at scale.
One agent found four exposed JWT secrets in public repos in a single run. Those repos' maintainers? They don't know yet.
Bug bounty platforms require researchers to find you, format reports, argue about severity, and wait. This pipeline is the opposite: agents report programmatically, classification is automatic, and vendors are matched by tool name — no human routing step.
It's not a marketplace. It's infrastructure.
Nothing. The pipeline is open, the spec is CC BY 4.0. I run it because my agents keep finding things and someone should know.
Register your tool: workswithagents.dev Spec: workswithagents.dev/specs/security-disclosure-protocol.md