VulnerabilityDisclosure Program.
Report a security issue in EvalGuard and we'll fix it fast and credit you. This is a recognition-based program — verified findings earn hall-of-fame credit and a written acknowledgment, with safe-harbor protection for good-faith research.
This is a recognition-based program. We do not offer cash rewards at this time — verified findings receive hall-of-fame credit and a written acknowledgment you can cite. We may introduce cash rewards in the future as the company is funded; if we do, this page will be updated first.
How to participate
Four steps to disclose
- 1Find a vulnerability in the in-scope assets (below).
- 2Email
security@evalguard.aiwith a reproducer, affected URL/component, and your severity assessment. - 3Wait for triage (initial response within 72 hours, per our security.txt).
- 4If verified, you receive hall-of-fame credit and a written acknowledgment of the severity for your portfolio.
In scope
https://evalguard.ai(production app + API)https://www.evalguard.ai(alias)- Any
https://evalguard.ai/api/v1/*endpoint - The
@evalguard/sdk,@evalguard/openai,@evalguard/anthropic, and@evalguard/otel-sdknpm packages - The public source repository at github.com/EvalGuardAi/evalguard (e.g., supply-chain issues, secrets in commits)
Out of scope
- Findings on third-party infrastructure (Supabase, Cloudflare, Hetzner, Vercel, Sentry, BullMQ-as-a-service) — report to those vendors directly.
- Denial-of-service via volumetric attacks, brute-force without mitigation bypass, or rate-limit testing without explicit permission.
- Social engineering, phishing of EvalGuard staff, or physical attacks on infrastructure.
- Self-XSS, missing best-practice headers without exploit proof, weak ciphers without practical attack, theoretical vulnerabilities without a reproducer.
- Vulnerabilities requiring root on a victim's device, or requiring browser plugins/extensions installed.
- Spamming the disclosure program (low-effort or duplicate reports). We may ban repeat offenders.
Severity rubric
How we classify findings.
We triage every verified report against the rubric below. Recognition is hall-of-fame credit plus a written acknowledgment of the severity you can cite in your portfolio. This program is recognition-based — there are no cash rewards at this time.
| Severity | Examples | Recognition |
|---|---|---|
| Critical | Auth bypass, RCE on prod, cross-tenant data read/write, service-role-key exfil, supply-chain compromise of an OSS package | Hall of fame + written acknowledgment |
| High | Vertical privilege escalation, audit-log tampering with service-role-key, IDOR with PII exposure, BOLA on owned resources, SSRF to internal services | Hall of fame + written acknowledgment |
| Medium | Reflected XSS in authenticated context, CSRF on mutating endpoint, mass-assignment, ReDoS on user-input regex, DoS-able endpoint with no rate limit | Hall of fame |
| Low | Information disclosure (e.g., stack trace), missing security header with practical attack, open redirect with limited impact | Hall of fame |
Response SLA
How fast we move.
- Initial triage: 72 hours from email receipt.
- Severity confirmation: 5 business days.
- Patch + production deploy: Critical 24h, High 7d, Medium 30d, Low 90d.
- Public disclosure: 90 days from initial report, OR after a verified fix ships and the reporter agrees, whichever is sooner.
Safe harbor
Research in good faith is protected.
We will not pursue legal action against you for security research conducted in good faith and within the scope of this policy. Specifically, you may:
- Probe the in-scope assets for vulnerabilities, including automated scanning at reasonable rates.
- Reproduce a vulnerability using your own test account, OR with a temporary fictitious account (do not use real customer accounts).
- Retain proof-of-concept material long enough to author a report; you must delete any obtained PII or secrets after we acknowledge.
You must NOT: access or modify customer data, leverage a found vulnerability beyond a minimal proof-of-concept, publicly disclose before the agreed timeline, or violate the responsible disclosure policy.
Hall of fame
Researchers who made us safer.
Researchers who have contributed verified vulnerability reports. Listed with their consent.
Be the first.
Reference
Everything you need to file.
Reporting email: security@evalguard.ai
security.txt: /.well-known/security.txt
Formal disclosure policy: /security/responsible-disclosure
Threat model: docs/threat-model.md