Skip to content
Security disclosure policy

Found avulnerability?

We take security seriously. If you discover a vulnerability, we want to hear from you. Acknowledgement within 72 hours.

Report

Reporting a vulnerability

Please include as much detail as possible: steps to reproduce, affected components, potential impact, and any proof-of-concept code.

Checklist

What to include

  • Description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Affected URL, endpoint, or component
  • Your assessment of the severity (critical, high, medium, low)
  • Any proof-of-concept code or screenshots

Commitment

Our commitment

72-hour acknowledgment

We confirm receipt of your report within 72 hours

90-day disclosure

We aim to resolve issues within 90 days before public disclosure

No legal action

We will not pursue legal action against good-faith researchers

Scope

What we test

In scope

  • evalguard.ai and all subdomains
  • EvalGuard API endpoints (/api/v1/*)
  • EvalGuard SDKs (npm, PyPI, Go)
  • EvalGuard CLI
  • Authentication and authorization flows
  • Data encryption and storage

Out of scope

  • Social engineering attacks (phishing, vishing)
  • Denial of Service (DoS/DDoS) attacks
  • Physical security attacks
  • Attacks against third-party services (Supabase, Cloudflare, etc.)
  • Spam or email flooding
  • Vulnerabilities in outdated browsers or plugins

Timeline

Response timeline

1
Within 72 hoursAcknowledgment of your report
2
Within 7 daysTriage and initial severity classification
3
At least monthlyFix or status update until the report is closed
4
90 days after acknowledgmentCoordinated public disclosure — sooner if a fix has shipped and you agree

Recognition

Recognition

We recognize security researchers who help keep EvalGuard safe. With your permission, we will credit you on our security acknowledgments page. We may also offer bounties for critical vulnerabilities at our discretion.

Important

Please do not publicly disclose vulnerabilities before we have had a chance to address them. We commit to working with you transparently and resolving issues as quickly as possible.

Email security@