Found avulnerability?
We take security seriously. If you discover a vulnerability, we want to hear from you. Acknowledgement within 72 hours.
Report
Reporting a vulnerability
Please include as much detail as possible: steps to reproduce, affected components, potential impact, and any proof-of-concept code.
Checklist
What to include
- Description of the vulnerability and its potential impact
- Step-by-step instructions to reproduce the issue
- Affected URL, endpoint, or component
- Your assessment of the severity (critical, high, medium, low)
- Any proof-of-concept code or screenshots
Commitment
Our commitment
72-hour acknowledgment
We confirm receipt of your report within 72 hours
90-day disclosure
We aim to resolve issues within 90 days before public disclosure
No legal action
We will not pursue legal action against good-faith researchers
Scope
What we test
In scope
- • evalguard.ai and all subdomains
- • EvalGuard API endpoints (/api/v1/*)
- • EvalGuard SDKs (npm, PyPI, Go)
- • EvalGuard CLI
- • Authentication and authorization flows
- • Data encryption and storage
Out of scope
- • Social engineering attacks (phishing, vishing)
- • Denial of Service (DoS/DDoS) attacks
- • Physical security attacks
- • Attacks against third-party services (Supabase, Cloudflare, etc.)
- • Spam or email flooding
- • Vulnerabilities in outdated browsers or plugins
Timeline
Response timeline
Recognition
Recognition
We recognize security researchers who help keep EvalGuard safe. With your permission, we will credit you on our security acknowledgments page. We may also offer bounties for critical vulnerabilities at our discretion.
Important
Please do not publicly disclose vulnerabilities before we have had a chance to address them. We commit to working with you transparently and resolving issues as quickly as possible.
Email security@