We take the security of our systems and data seriously. If you believe you have discovered a security vulnerability in our systems or applications, we encourage you to report it to us responsibly. We will investigate all reports and do our best to address any issues as quickly as possible. We value the work of security researchers and look forward to working with the community to improve our security posture.

Safe Harbor

Evolution will not pursue legal action against individuals who discover and report security vulnerabilities following this policy. We encourage researchers to report vulnerabilities to us as soon as possible so that we can work together to address the issue. However, if you engage in any malicious or harmful activities that violate this policy or the law, we reserve the right to take appropriate actions to protect our systems and users.

How-to

To report a vulnerability, please send an email to cybersec@evolution.com. Please include a detailed description of the vulnerability and any steps required to reproduce it. We also encourage you to include any proof-of-concept code or other materials that may help understand the issue. If possible, please encrypt your report with our PGP key.

Scope

This policy applies to all systems and applications owned by Evolution and its subsidiaries. The following types of vulnerabilities are in the scope of this policy: – authentication and authorization bypass or broken session management – server-side code execution (RCE) and server-side request forgery (SSRF) – cross-site scripting (XSS) and cross-site request forgery (CSRF) – database or template engine injections – sensitive data or information disclosure – other high-severity vulnerabilities with a clear impact

Out of Scope

The following types of vulnerabilities are considered out of scope: – vulnerabilities that require physical access to our premises or hardware – vulnerabilities that require using leaked or stolen credentials – vulnerabilities that require extremely unlikely user interaction – any kind of network or application Denial-of-Service (DoS) attacks – any other low-severity vulnerabilities without a clear impact

Guideline

Rewards

We appreciate the work of security researchers and are committed to working with the community to improve our security posture. We do not currently have an open bug-bounty program, but if you report a valid vulnerability to us following this policy, we will consider it on a case-by-case basis and may offer a reward as a token of our appreciation. We appreciate your help in keeping our systems and data secure.

back to top