We take the security of our systems and data seriously. If you believe you have discovered a security vulnerability in our systems or applications, we encourage you to report it to us responsibly. We will investigate all reports and do our best to address any issues as quickly as possible. We value the work of security researchers and look forward to working with the community to improve our security posture.
Safe Harbor
Evolution will not pursue legal action against individuals who discover and report security vulnerabilities following this policy. We encourage researchers to report vulnerabilities to us as soon as possible so that we can work together to address the issue. However, if you engage in any malicious or harmful activities that violate this policy or the law, we reserve the right to take appropriate actions to protect our systems and users.
How-to
To report a vulnerability, please send an email to cybersec@evolution.com. Please include a detailed description of the vulnerability and any steps required to reproduce it. We also encourage you to include any proof-of-concept code or other materials that may help understand the issue. If possible, please encrypt your report with our PGP key.
Scope
This policy applies to all systems and applications owned by Evolution and its subsidiaries. The following types of vulnerabilities are in the scope of this policy: – authentication and authorization bypass or broken session management – server-side code execution (RCE) and server-side request forgery (SSRF) – cross-site scripting (XSS) and cross-site request forgery (CSRF) – database or template engine injections – sensitive data or information disclosure – other high-severity vulnerabilities with a clear impact
Out of Scope
The following types of vulnerabilities are considered out of scope: – vulnerabilities that require physical access to our premises or hardware – vulnerabilities that require using leaked or stolen credentials – vulnerabilities that require extremely unlikely user interaction – any kind of network or application Denial-of-Service (DoS) attacks – any other low-severity vulnerabilities without a clear impact
Guideline
- DO provide detailed information about the vulnerability, including steps to reproduce it
- DO include any proof-of-concept code or other materials that may help understand the issue
- DO stop testing immediately if you encounter any personal data or sensitive information
- DO give us a reasonable amount of time to investigate and mitigate the issue before disclosing it publicly
- DON’T perform any actions that could affect the availability or functionality of our systems or services
- DON’T use any social engineering techniques such as phishing, vishing, or impersonation
- DON’T exploit the vulnerability for personal gain or malicious purposes
- DON’T disclose the vulnerability to anyone other than Evolution without our express written consent
Rewards
We appreciate the work of security researchers and are committed to working with the community to improve our security posture. We do not currently have an open bug-bounty program, but if you report a valid vulnerability to us following this policy, we will consider it on a case-by-case basis and may offer a reward as a token of our appreciation. We appreciate your help in keeping our systems and data secure.