Skip to content
Last updated 2026-06-17

VulnerabilityDisclosure Program.

Report a security issue in EvalGuard and we'll fix it fast and credit you. This is a recognition-based program — verified findings earn hall-of-fame credit and a written acknowledgment, with safe-harbor protection for good-faith research.

This is a recognition-based program. We do not offer cash rewards at this time — verified findings receive hall-of-fame credit and a written acknowledgment you can cite. We may introduce cash rewards in the future as the company is funded; if we do, this page will be updated first.

How to participate

Four steps to disclose

  1. 1Find a vulnerability in the in-scope assets (below).
  2. 2Email security@evalguard.ai with a reproducer, affected URL/component, and your severity assessment.
  3. 3Wait for triage (initial response within 72 hours, per our security.txt).
  4. 4If verified, you receive hall-of-fame credit and a written acknowledgment of the severity for your portfolio.

In scope

  • https://evalguard.ai (production app + API)
  • https://www.evalguard.ai (alias)
  • Any https://evalguard.ai/api/v1/* endpoint
  • The @evalguard/sdk, @evalguard/openai, @evalguard/anthropic, and @evalguard/otel-sdk npm packages
  • The public source repository at github.com/EvalGuardAi/evalguard (e.g., supply-chain issues, secrets in commits)

Out of scope

  • Findings on third-party infrastructure (Supabase, Cloudflare, Hetzner, Vercel, Sentry, BullMQ-as-a-service) — report to those vendors directly.
  • Denial-of-service via volumetric attacks, brute-force without mitigation bypass, or rate-limit testing without explicit permission.
  • Social engineering, phishing of EvalGuard staff, or physical attacks on infrastructure.
  • Self-XSS, missing best-practice headers without exploit proof, weak ciphers without practical attack, theoretical vulnerabilities without a reproducer.
  • Vulnerabilities requiring root on a victim's device, or requiring browser plugins/extensions installed.
  • Spamming the disclosure program (low-effort or duplicate reports). We may ban repeat offenders.

Severity rubric

How we classify findings.

We triage every verified report against the rubric below. Recognition is hall-of-fame credit plus a written acknowledgment of the severity you can cite in your portfolio. This program is recognition-based — there are no cash rewards at this time.

SeverityExamplesRecognition
CriticalAuth bypass, RCE on prod, cross-tenant data read/write, service-role-key exfil, supply-chain compromise of an OSS packageHall of fame + written acknowledgment
HighVertical privilege escalation, audit-log tampering with service-role-key, IDOR with PII exposure, BOLA on owned resources, SSRF to internal servicesHall of fame + written acknowledgment
MediumReflected XSS in authenticated context, CSRF on mutating endpoint, mass-assignment, ReDoS on user-input regex, DoS-able endpoint with no rate limitHall of fame
LowInformation disclosure (e.g., stack trace), missing security header with practical attack, open redirect with limited impactHall of fame

Response SLA

How fast we move.

  • Initial triage: 72 hours from email receipt.
  • Severity confirmation: 5 business days.
  • Patch + production deploy: Critical 24h, High 7d, Medium 30d, Low 90d.
  • Public disclosure: 90 days from initial report, OR after a verified fix ships and the reporter agrees, whichever is sooner.

Safe harbor

Research in good faith is protected.

We will not pursue legal action against you for security research conducted in good faith and within the scope of this policy. Specifically, you may:

  • Probe the in-scope assets for vulnerabilities, including automated scanning at reasonable rates.
  • Reproduce a vulnerability using your own test account, OR with a temporary fictitious account (do not use real customer accounts).
  • Retain proof-of-concept material long enough to author a report; you must delete any obtained PII or secrets after we acknowledge.

You must NOT: access or modify customer data, leverage a found vulnerability beyond a minimal proof-of-concept, publicly disclose before the agreed timeline, or violate the responsible disclosure policy.

Hall of fame

Researchers who made us safer.

Researchers who have contributed verified vulnerability reports. Listed with their consent.

Be the first.

Reference

Everything you need to file.

Reporting email: security@evalguard.ai

security.txt: /.well-known/security.txt

Formal disclosure policy: /security/responsible-disclosure

Threat model: docs/threat-model.md