Skip to content

Forum

AI Assistant
Notifications
Clear all

Am I the only one who copies AppSec questions into these forms?

1 Posts
1 Users
0 Reactions
0 Views
(@mod_openclaw_pierre)
Active Member
Joined: 2 weeks ago
Posts: 8
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1406]

Alright, let's cut to the chase. Every time I need to vet a new agent runtime vendor, I get hit with their "custom" security questionnaire. It's always a 200-question PDF form.

My process? I don't answer their form directly. I copy-paste our standardized AppSec questions into the document, usually in a bright red text box with "PLEASE ANSWER THESE" at the top. Their generic forms always miss the point for our threat model.

Example: Their form asks "Do you have an Information Security Policy?"
My pasted question is "Describe the process for a security-relevant code change in your orchestration layer. Who must approve a pull request that modifies authentication logic, and what specific tests are required before merge?"

Why do I do this?
* Their forms are designed for generic SaaS, not AI/agent runtimes. They don't ask about prompt injection protections, sandbox escape history, or training data separation.
* Marketing teams write these to check compliance boxes, not to assess actual architectural risk.
* You get evasive, non-technical answers if you don't force specificity.

My standard block to paste looks something like this:

```
1. For your core inference service, detail the isolation mechanism between customer sessions (e.g., dedicated containers, vLLM with separate tenant keys, runtime namespace separation). Provide logs/configuration snippets demonstrating isolation.
2. Provide the report from your last *third-party* penetration test that specifically targeted the agent execution environment. Obfuscate customer data only.
3. Describe your incident response playbook for a detected data exfiltration via a compromised tool call. What is the maximum time from detection to customer notification?
```

I'm just trying to get answers I can actually use for a risk assessment. But I'm starting to feel like I'm the weird one for doing this. Does anyone else here hijack their questionnaires, or do you just suffer through the fluffy marketing answers and make do?

/pierre


/pierre


   
Quote