# EvalGuard Security Vulnerability Disclosure # https://datatracker.ietf.org/doc/html/rfc9116 # # This file is served at https://evalguard.ai/.well-known/security.txt # It tells security researchers how to reach us if they find a vuln, # what scope is in/out, and how we'll respond. The expiration date is # 1 year from the file's last update — past that, the file SHOULD be # considered stale and the contact may be out of date. Contact: mailto:security@evalguard.ai Contact: https://evalguard.ai/security/disclose Expires: 2027-05-17T00:00:00.000Z Preferred-Languages: en Canonical: https://evalguard.ai/.well-known/security.txt Policy: https://evalguard.ai/security/responsible-disclosure Acknowledgments: https://evalguard.ai/security/bounty Hiring: https://evalguard.ai/careers # Scope (in) # - evalguard.ai (production web app + marketing) # - api.evalguard.ai (REST API + GraphQL) # - app.evalguard.ai (dashboard) # - The @evalguard/* npm packages # # Scope (out) # - Third-party services we integrate with (Supabase, Vercel, # Cloudflare, Hetzner) — report directly to those vendors. # - Social engineering / phishing of EvalGuard staff. # - Physical attacks against EvalGuard infrastructure or staff. # - DDoS / volumetric attacks. We test for these via our own # load tools; please don't reproduce against production. # - Vulnerabilities only exploitable by users with admin role on # their own org (privilege escalation WITHIN the org's scope is # by design — orgs are owned, not multi-tenant within). # # Response timeline # - Acknowledgment: within 72 hours of submission. # - Triage + initial severity assessment: within 7 days. # - Fix or status update: at least monthly until closed. # - Public disclosure: 90 days after acknowledgment, or sooner if # a fix has shipped and the reporter agrees. # # Recognition + bounty # - Hall of Fame entry on evalguard.ai/security/bounty. # - Severity rubric + cash tiers (post Series-Seed funding): # Critical $1k–$5k / High $500–$1.5k / Medium $200–$500 / # Low $50–$150. Pre-funding tier: hall-of-fame + written # severity ack for the reporter's portfolio. # - Full program details: https://evalguard.ai/security/bounty