Effective Date: April 17, 2026
1. Safety Notice
Purpose
Even Realities is committed to maintaining the security and reliability of our products and services. We value the help of security researchers and the broader community in keeping our users safe.
This Vulnerability Disclosure Policy (the “Policy”) describes how security vulnerabilities should be responsibly reported and how Even Realities handles such reports. This Policy applies to all vulnerability submissions, regardless of whether the reporter is eligible for any specific reward program (Depending on the severity and impact of disclosed vulnerabilities, we will offer rewards on a case-by-case basis).
Scope
This Policy applies to security vulnerabilities affecting products and services developed, maintained, or operated by Even Realities, including but not limited to:
- Web services and online platforms operated by Even Realities (for example: www.evenrealities.com)
- Official mobile applications provided by Even Realities (for example: Even Realities App for iOS and Android)
- Official device firmware and embedded software for Even Realities products
- Device communication, update, authentication, and authorization mechanisms operated by Even Realities
Out of Scope:
- Third-party products, integrations, or services not developed by Even Realities.
- Modified, unofficial, or unsupported software/hardware (e.g., jailbroken devices).
- Physical security of Even Realities offices or data centers.
- Social engineering or phishing attacks against Even Realities employees or users.
Authorization Statement
This Policy is intended solely to provide a mechanism for reporting security vulnerabilities and does not constitute authorization to conduct penetration testing, security assessments, or any other form of active security testing. Even Realities encourages security research conducted in good faith.
If you conduct your security research and vulnerability disclosure in accordance with this policy:
- We consider your research to be authorized.
- We will not take legal action against you for activities that comply with this policy.
- If legal action is initiated by a third party against you, we will make it known that your actions were conducted in compliance with this policy.
Note: You must comply with all applicable laws. This authorization does not permit you to access, modify, or delete data belonging to other users.
2. Vulnerability Reporting
Report suspected vulnerabilities
Security researchers, industry organizations, customers and suppliers are encouraged to work with us and report security vulnerabilities related to Even Realities products and services.
Vulnerability reporting email
If you believe you have found a security vulnerability, please send a detailed report to our dedicated security contact:
If you encounter or discover security issues in Even Realities products and services, please send a detailed report to:
Email: software@evenrealities.com (Please use "Security Vulnerability" in the subject line)
Preferred Subject Format: [Vulnerability Type] - [Product/Component Name]
Where possible, vulnerability reports should include the following information:
- A detailed description of the vulnerability
- Affected products or versions
- Reproduction steps or proof of concept (PoC)
- An assessment of the potential security impact
3. Vulnerability Response
Even Realities values the vulnerability management of its products and services, supports responsible vulnerability disclosure and handling processes, and respects the research output of every security researcher. We will assign dedicated personnel to follow, analyze and handle each security issue that is reported to ensure that there is a timely resolution and response. We will send an email with the initial feedback within ten working days. We will continue to follow up and provide updates on the vulnerability resolution progress until the fix is completed.
Note: The actual time of response to the vulnerability may vary depending on its risk level and complexity.
Vulnerability awareness: Take the initiative to monitor and receive the potential security vulnerabilities and issues that are reported, and remain in contact with the vulnerability reporters.
Vulnerability verification: Verify whether potential security vulnerabilities and problems affect the security of our products, assess risks, and inform users about the rectification timeline and vulnerability levels.
Fixing vulnerabilities: Develop plans for mitigating the risks of and fixing vulnerabilities, verify the results of the vulnerability fix, and provide product upgrade packages or patches.
Vulnerability disclosure: Disclose vulnerability information when workarounds and patches are available (or when new releases are launched).
Problem improvement: After the vulnerability is disclosed, we will monitor the effectiveness of the remedy, collect customer feedback and suggestions, and update the patch/upgrade the package if necessary. Even Realities will also keep improving product development and vulnerability handling processes.
Throughout the vulnerability handling process, we will strictly control the scope of the vulnerability information and limit its dissemination to only the relevant personnel involved in the vulnerability remediation. We also request that the vulnerability reporter promise to keep the vulnerability information confidential until a complete resolution is provided to the users.
We will take the necessary and reasonable measures to protect the vulnerability data that we obtain based on legal compliance. Even Realities will not voluntarily share or disclose the above data to other parties unless expressly requested to by the affected customer or if required by law.
4. Prohibited Activities
Any activities resulting in the following outcomes are considered prohibited:
- Unauthorized access to Even Realities’s data or systems
- Disruption of service stability or availability
- Exploitation of vulnerabilities beyond what is necessary to demonstrate impact
- Premature public disclosure of vulnerability information without coordination
- Any activity that violates applicable laws or regulations
If sensitive or personal data is encountered during the vulnerability discovery process, the researcher must immediately cease the activity, avoid further access, delete any locally stored copies of such data, and promptly notify Even Realities in the vulnerability report.
Please do not provide sensitive personal data in your report beyond what is strictly necessary to prove the vulnerability.
5. Policy Updates
This Policy may be updated from time to time.
The most current version will be published on the official Even Realities website.