Evolution Foundation takes the security of Evolution API seriously. We appreciate your efforts to responsibly disclose any vulnerabilities you find.
Please do NOT open a public GitHub issue for security vulnerabilities.
Instead, report them privately through one of the following channels:
-
GitHub Private Vulnerability Reporting — use the "Security" tab on this repository to submit a private advisory.
-
Email — send your report to [email protected] with the subject line
[SECURITY] Evolution API — <brief description>.
To help us triage and resolve the issue quickly, please include:
- A clear description of the vulnerability
- Steps to reproduce (proof of concept, if available)
- Affected versions
- Potential impact and severity assessment
- Any suggested mitigation or fix
- Your name and contact information (for credit, if desired)
| Stage | Target |
|---|---|
| Initial acknowledgment | Within 48 hours |
| Triage and validation | Within 5 business days |
| Fix development | Depends on severity (1–30 days) |
| Public disclosure | Coordinated with reporter after fix is released |
We follow a coordinated disclosure model:
- You report the vulnerability privately
- We acknowledge receipt and begin triage
- We work with you to understand and validate the issue
- We develop, test, and release a fix
- We publicly disclose the vulnerability and credit you (unless you prefer to remain anonymous)
Security updates are provided for the latest released version. Older versions may receive critical security fixes at our discretion.
We value the security research community. Researchers who responsibly disclose vulnerabilities will be:
- Credited in the security advisory (with permission)
- Listed in our acknowledgments page (when available)
- Eligible for public recognition via Evolution Foundation channels
For general inquiries (non-security): [email protected] For more information: evolutionfoundation.com.br