If you discover a security vulnerability in Eva, please report it responsibly.

Do not open a public issue. Instead, email hi@vedantb.com with:

• A description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

You should receive a response within 48 hours. We will work with you to understand the issue and coordinate a fix before any public disclosure.

The following are in scope:

• The Eva web application
• The Convex backend functions
• The desktop application
• Authentication and authorization logic
• Sandbox execution environment

• Third-party services (Convex, Clerk, Daytona) — report those to the respective vendors
• Social engineering attacks
• Denial of service attacks

• We will acknowledge your report within 48 hours
• We will provide an estimated timeline for a fix
• We will notify you when the vulnerability is fixed
• We ask that you do not disclose the vulnerability publicly until a fix is released