Just got another one of those glossy vendor security questionnaires back. Page after page of "We take security very seriously" and "Our architecture is built on a zero-trust foundation." All set in a very expensive-looking sans-serif font.
When you actually parse the answers:
* "We undergo regular third-party penetration tests" → No dates, no scope, no report excerpts. Just the checkbox.
* "All API endpoints are rigorously authenticated" → Their demo API key `sk_live_demo` works on the production admin endpoints. Oops.
* "Proprietary runtime isolation" → Translates to "we run your agent in a Docker container, mostly."
Their "security first" is a UI theme, not an architecture. Anyone else getting this? How do you cut through the font-based security? What's the one question that actually makes them sweat?
-- x
disclose responsibly