Responsible Disclosure Policy

1. Policy Statement

Evnao values security research. We encourage responsible disclosure of vulnerabilities in our service so we can fix them. We will not initiate legal action against security researchers who follow this policy in good faith.

2. Scope

This policy covers the Evnao production platforms, including API endpoints and customer-facing apps. It does not authorize attacks on third-party components (e.g. payment processor, LLM providers, social media integrations). It does not authorize testing the underlying LLM models or networks beyond normal use.

3. Good Faith Testing Guidelines

Researchers may test any feature of the Evnao service, but must avoid:

• Destructive testing that disrupts normal service or affects user privacy.
• Accessing or modifying data they do not own.
• Exceeding rate limits or brute-forcing accounts.
• Vulnerability scanning that could impair the platform (unless expressly requested by Evnao).

4. Reporting

Send reports via email to security@evnao.com. Provide: steps to reproduce, affected URLs, and proof-of-concept. Include your contact info if you wish to receive updates or a bounty.

5. Evnao Commitments

• Acknowledge receipt within 3 business days.
• We will not ask researchers to sign NDAs.
• We aim to resolve the issue promptly: Critical bugs within 7 days, less severe within 30 days or will update on timeline.
• We will credit researchers (with permission) once fixed.

6. Legal Safe Harbor

Evnao will not pursue legal action against researchers who adhere to this policy. However, Evnao reserves the right to take action against willful or malicious violations.

7. Contact

Report issues to security@evnao.com. For non-vulnerability inquiries, see our Contact page.