Responsible Disclosure Policy — EvalGuard

Reporting a Vulnerability

Please include as much detail as possible: steps to reproduce, affected components, potential impact, and any proof-of-concept code.

What to Include

Description of the vulnerability and its potential impact
Step-by-step instructions to reproduce the issue
Affected URL, endpoint, or component
Your assessment of the severity (critical, high, medium, low)
Any proof-of-concept code or screenshots

Our Commitment

24-hour acknowledgment

We confirm receipt of your report within one business day

90-day disclosure

We aim to resolve issues within 90 days before public disclosure

No legal action

We will not pursue legal action against good-faith researchers

In Scope

• evalguard.ai and all subdomains
• EvalGuard API endpoints (/api/v1/*)
• EvalGuard SDKs (npm, PyPI, Go, Java)
• EvalGuard CLI
• Authentication and authorization flows
• Data encryption and storage

Out of Scope

• Social engineering attacks (phishing, vishing)
• Denial of Service (DoS/DDoS) attacks
• Physical security attacks
• Attacks against third-party services (Supabase, Cloudflare, etc.)
• Spam or email flooding
• Vulnerabilities in outdated browsers or plugins

Response Timeline

Within 24 hours — Acknowledgment of your report

Within 72 hours — Initial assessment and severity classification

Within 7 days — Detailed response with remediation plan

Within 90 days — Fix deployed and verified

Recognition

We recognize security researchers who help keep EvalGuard safe. With your permission, we will credit you on our security acknowledgments page. We may also offer bounties for critical vulnerabilities at our discretion.

Important

Please do not publicly disclose vulnerabilities before we have had a chance to address them. We commit to working with you transparently and resolving issues as quickly as possible.