Evaneos Vulnerability Disclosure Policy
Introduction
At Evaneos, we take security seriously and strive to ensure the safety of our digital assets. As part of this
commitment, we welcome feedback from security researchers and the general public to help us identify and address any
potential vulnerabilities.
We understand the importance of transparency and accountability in maintaining security, which is why we have
implemented a Vulnerability Disclosure Policy. This policy outlines the steps for reporting vulnerabilities to us,
the
expectations we have for researchers, and what researchers can expect from us in return.
If you believe that you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any
of
our assets, we want to hear from you. We encourage responsible disclosure and promise to work with you to understand
and
validate your report, keep you informed about the progress of the vulnerability as it is processed, and remediate
the
issue in a timely manner.
However, please note that Evaneos does not have any security bounty program or rewards for discovering security
flaws.
We welcome feedback from researchers and the general public solely for the purpose of improving our security
measures.
By working together, we can maintain a safe and secure environment for our users and ensure the integrity of our
digital
assets.
Systems in Scope
This policy applies to any digital assets owned, operated, or maintained by Evaneos.
Out of Scope
- Assets or other equipment not owned by parties participating in this policy.
Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or
applicable authority.
Our Commitments
When working with us, according to this policy, you can expect us to:
- Respond to your report promptly, and work with you to understand and validate your report;
- Strive to keep you informed about the progress of a vulnerability as it is processed;
- Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints;
Our Expectations
In participating in our vulnerability disclosure program in good faith, we ask that you:
- Play by the rules, including following this policy and any other relevant agreements. If there is any
inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
- Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user
experience;
- Use only the Official Channels to discuss vulnerability information with us;
- Provide us a reasonable amount of time to resolve the issue before you disclose it publicly;
- Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
- We aren't interested in automated scanners;
- If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum
required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if
you encounter any user data during testing, such as Personally Identifiable Information (PII), or proprietary
information;
- You should only interact with test accounts you own or with explicit permission from the account holder; and
- Do not engage in extortion.
Official Channels
Please report security issues via security@evaneos.com, providing all relevant
information. The more details you provide, the easier it will be for us to triage and fix the issue.
Understanding the crucial importance of data security, we advocate the use of secure channels. You can access our PGP public key (here). Please encrypt your communications with this key to ensure confidentiality.