evenhand
← Back to Trust Center

Vulnerability disclosure.

Evenhand welcomes good-faith reports of security vulnerabilities in the platform. This page describes how to report a vulnerability, the safe harbor we extend to researchers who follow it, what we ask researchers not to do, and what to expect from us once we receive a report.

How to report.

Email security@evenhandhq.com. Please include:

  • A clear description of the vulnerability.
  • The affected URL, endpoint, or feature, and the environment you observed it in (production, preview, local).
  • Reproduction steps — minimum proof-of-concept, no credentials or data of other Users.
  • Your assessment of the impact, and any suggested remediation.
  • Whether you want to be credited publicly once the vulnerability is resolved.

Safe harbor.

Evenhand will not pursue legal action against researchers who report vulnerabilities in good faith and in compliance with this page. Good-faith research means you:

  • Avoid privacy violations, degradation of service, and destruction of data.
  • Do not access, modify, or exfiltrate data belonging to other Users — including by exploiting a vulnerability to read another Brokerage's Deal Data or any User's personal information.
  • Do not run automated scans against production infrastructure that would generate disruptive load.
  • Stop and report as soon as you have demonstrated the vulnerability — do not chain exploits beyond what is necessary to confirm impact.
  • Give Evenhand a reasonable opportunity to remediate before public disclosure (we aim for ninety (90) days from acknowledgment, longer if the fix is non-trivial; we will coordinate disclosure with you).

Activity that exceeds the safe harbor is treated as unauthorized access under the Acceptable Use Policy.

What to expect from us.

Acknowledgment
Within two (2) business days of receipt.
Triage and severity assessment
Within seven (7) business days of acknowledgment, we will share a severity assessment and a remediation plan.
Status updates
At least every fourteen (14) days until the vulnerability is resolved, the report is closed as invalid, or coordinated disclosure is arranged.
Bounty
Evenhand does not currently run a paid bug bounty. Researchers who report valid vulnerabilities are credited (with permission) on this page and on the applicable release notes.

Scope.

In scope: the Evenhand platform reachable at evenhandhq.com, evenhand.co, the public REST API at /api/v1/, the MCP server at /api/mcp/v1/server, the authentication and webhook endpoints, and the marketing site.

Out of scope: vulnerabilities in third-party sub-processors (report those to the provider directly — see the sub-processor list); rate-limit-only DDoS reports; social engineering of Evenhand staff or customers; physical-security findings; vulnerabilities requiring a privileged Evenhand staff account; and findings on hosted preview deployments that also exist in production (please report the production occurrence instead).