Last updated 2026-05-06

SecurityBug Bounty.

We pay for security findings that improve EvalGuard. Verified vulnerabilities earn recognition in the hall of fame; cash bounties scale with funding.

Email security@Disclosure policy

How to participate

  1. Find a vulnerability in the in-scope assets (below).
  2. Email security@evalguard.ai with a reproducer, affected URL/component, and your severity assessment.
  3. Wait for triage (initial response within 48 hours).
  4. If verified, you choose: hall-of-fame credit (always), or hall-of-fame + cash bounty per the rubric below.

In scope

  • https://evalguard.ai (production app + API)
  • https://www.evalguard.ai (alias)
  • Any https://evalguard.ai/api/v1/* endpoint
  • The @evalguard/sdk, evalguardai-openai,evalguardai-anthropic, and evalguardai-otel npm packages
  • The public source repository at github.com/EvalGuardAi/evalguard (e.g., supply-chain issues, secrets in commits)

Out of scope

  • Findings on third-party infrastructure (Supabase, Cloudflare, Hetzner, Vercel, Sentry, BullMQ-as-a-service) — report to those vendors directly.
  • Denial-of-service via volumetric attacks, brute-force without mitigation bypass, or rate-limit testing without explicit permission.
  • Social engineering, phishing of EvalGuard staff, or physical attacks on infrastructure.
  • Self-XSS, missing best-practice headers without exploit proof, weak ciphers without practical attack, theoretical vulnerabilities without a reproducer.
  • Vulnerabilities requiring root on a victim's device, or requiring browser plugins/extensions installed.
  • Spamming the bug bounty program (low-effort or duplicate reports). We may ban repeat offenders.

Severity + bounty rubric

Cash bounties are paid against the rubric below as funding allows. The pre-funding tier is hall-of-fame credit + a written acknowledgement of the severity for your portfolio. Cash tiers activate post Series-Seed close.

SeverityExamplesPre-fundingPost-funding
CriticalAuth bypass, RCE on prod, cross-tenant data read/write, service-role-key exfil, supply-chain compromise of an OSS packageHall of fame + written ack$1,000 – $5,000
HighVertical privilege escalation, audit-log tampering with service-role-key, IDOR with PII exposure, BOLA on owned resources, SSRF to internal servicesHall of fame + written ack$500 – $1,500
MediumReflected XSS in authenticated context, CSRF on mutating endpoint, mass-assignment, ReDoS on user-input regex, DoS-able endpoint with no rate limitHall of fame$200 – $500
LowInformation disclosure (e.g., stack trace), missing security header with practical attack, open redirect with limited impactHall of fame$50 – $150

Response SLA

  • Initial triage: 48 hours from email receipt.
  • Severity confirmation: 5 business days.
  • Patch + production deploy: Critical 24h, High 7d, Medium 30d, Low 90d.
  • Public disclosure: 90 days from initial report, OR after a verified fix ships and the reporter agrees, whichever is sooner.

Safe harbor

We will not pursue legal action against you for security research conducted in good faith and within the scope of this policy. Specifically, you may:

  • Probe the in-scope assets for vulnerabilities, including automated scanning at reasonable rates.
  • Reproduce a vulnerability using your own test account, OR with a temporary fictitious account (do not use real customer accounts).
  • Retain proof-of-concept material long enough to author a report; you must delete any obtained PII or secrets after we acknowledge.

You must NOT: access or modify customer data, leverage a found vulnerability beyond a minimal proof-of-concept, publicly disclose before the agreed timeline, or violate the responsible disclosure policy.

Hall of fame

Researchers who have contributed verified vulnerability reports. Listed with their consent.

Be the first.

Reference

Reporting email: security@evalguard.ai

PGP / security.txt: /.well-known/security.txt

Formal disclosure policy: /security/responsible-disclosure

Threat model: docs/threat-model.md