# Security Policy ## Reporting a Vulnerability At Eviya, we take security seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions. ### How to Report a Vulnerability Please report security vulnerabilities by emailing **security[at]eviya[dot]ai**. Please include the following information: - A description of the vulnerability - Steps to reproduce the issue - Potential impact of the vulnerability - Any potential solutions you may have identified ### What to Expect - We will acknowledge receipt of your vulnerability report within 3 business days - We will provide a timeline for addressing the vulnerability - We will keep you informed about the progress of resolving the vulnerability - We will notify you when the vulnerability is fixed ### Safe Harbor We support safe harbor for security researchers who: - Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services - Only interact with accounts you own or with explicit permission of the account holder - Do not exploit a security issue you discover for any reason other than testing - Report any vulnerability you've discovered promptly - Do not share information about the vulnerability with others until it has been resolved ### Scope The following domains are in scope for our vulnerability disclosure program: - eviya.ai - *.eviya.ai ### Out of Scope The following are out of scope for our vulnerability disclosure program: - Denial of service attacks - Spam or social engineering attacks - Physical attacks against our offices or data centers - Findings from automated tools without verification ### Bug Bounty Program At this time, we do not offer monetary rewards for vulnerability reports. However, we will acknowledge security researchers who report valid vulnerabilities in our security documentation. ### Responsible Disclosure Timeline - **Day 0**: Vulnerability reported - **Day 3**: Acknowledgment of report - **Day 30**: Target date for vulnerability fix - **Day 90**: Public disclosure (if agreed upon with the researcher) Thank you for helping keep Eviya and our users safe!