Responsible Disclosure Policy

The security of our systems and user data, including at https://evidence.guide, is a top priority for the Robyn Dawes Institute for the Improvement of Science. We appreciate the work of security researchers acting in good faith to identify and report potential vulnerabilities.

Purpose

Robyn Dawes Institute is committed to advancing rigorous, trustworthy scientific infrastructure. Central to this mission is protecting the security, integrity, and availability of our systems, services, and the data entrusted to us.

This Policy provides a clear framework for researchers to report potential security vulnerabilities responsibly and for us to investigate and remediate them in a coordinated manner.

If you discover a vulnerability that may affect multiple organizations, we encourage you to report it to each affected organization separately so all impacted services can independently assess and address the issue.

Scope of Systems

This Policy applies to internet-facing systems, services, applications, APIs, and websites owned, operated, or controlled by Robyn Dawes Institute, including https://evidence.guide and related domains and subdomains (collectively, the "Information Systems").

This Policy does not apply to systems owned or controlled by third parties, including hosting providers, cloud infrastructure vendors, contractors, or service providers, even if integrated with our Services. Reports concerning those systems should be directed to the relevant third party.

Scope of Vulnerabilities

This Policy covers technical vulnerabilities that may affect the security, confidentiality, or integrity of our Information Systems, including:

  • Authentication bypass or privilege escalation;
  • Injection vulnerabilities (e.g., SQL injection, command injection);
  • Cross-site scripting (XSS);
  • Cross-site request forgery (CSRF);
  • Insecure direct object references;
  • Misconfigurations exposing sensitive data;
  • Directory traversal or file access vulnerabilities.

This Policy does not generally cover:

  • Denial-of-service attacks or stress testing;
  • Social engineering (including phishing attempts);
  • Account takeovers of accounts that are not your own;
  • Physical security issues;
  • Red-teaming or adversarial testing of AI model outputs;
  • Content-related concerns with model responses (report these separately via product safety channels).

How to Submit a Report

If you discover a potential security vulnerability, please report it to: [email protected]

Your report should include, where possible:

  • A summary of the vulnerability;
  • The type and potential severity;
  • Technical details sufficient to reproduce the issue;
  • Steps to reproduce;
  • URL or system location affected;
  • Proof-of-concept code, screenshots, or recordings (if applicable);
  • The potential impact; and
  • Any recommended remediation.

We ask that you submit one vulnerability per report and include any intended plans for public disclosure. We request that you coordinate with us before publicly disclosing any vulnerability so that remediation can occur prior to disclosure.

Research Guidelines

To qualify under this Policy, you must:

  • Test only for the purpose of identifying and reporting vulnerabilities;
  • Avoid causing harm to the Information Systems or users;
  • Avoid disrupting services or generating excessive traffic;
  • Avoid accessing, acquiring, modifying, or deleting data beyond what is minimally necessary to demonstrate the vulnerability;
  • Not exfiltrate, download, or retain data accessed during testing;
  • Not access accounts that are not your own;
  • Not engage in social engineering;
  • Not demand compensation or threaten public disclosure as a condition of reporting; and
  • Comply with all applicable laws in conducting your research.

What to Expect from Us

If you report a vulnerability in good faith and in accordance with this Policy, you can expect us to:

  • Acknowledge receipt of your report within approximately 3–5 business days;
  • Promptly evaluate and investigate the report;
  • Confirm whether a vulnerability exists (at our discretion);
  • Use reasonable efforts to remediate confirmed vulnerabilities within a commercially reasonable timeframe (typically within several weeks, depending on severity and complexity);
  • Keep you reasonably informed of investigation and remediation progress; and
  • Coordinate with you regarding responsible public disclosure.

Safe Harbor

If you make a good-faith effort to research and disclose vulnerabilities in accordance with this Policy and applicable laws, Robyn Dawes Institute will not pursue legal action against you solely for your responsible disclosure activities.

This Safe Harbor does not apply to activities involving extortion, data exfiltration, unauthorized disclosure of personal information, or other unlawful conduct.

No Bug Bounty

https://evidence.guide does not currently operate a bug bounty program and does not guarantee financial compensation for vulnerability reports. We may, at our discretion, acknowledge contributors publicly.

Changes to This Policy

We may update this Responsible Disclosure Policy at any time by publishing a revised version and updating the "Last Modified" date.

Questions? Contact us at [email protected].

Last Modified: April 2, 2026.