We actively support the following versions of Evolution API with security updates:
| Version | Supported |
|---|---|
| 2.3.x | ✅ Yes |
| 2.2.x | ✅ Yes |
| 2.1.x | |
| < 2.1 | ❌ No |
We take security vulnerabilities seriously. If you discover a security vulnerability in Evolution API, please help us by reporting it responsibly.
Please DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security vulnerabilities via email to:
When reporting a vulnerability, please include:
- Description: A clear description of the vulnerability
- Impact: What an attacker could achieve by exploiting this vulnerability
- Steps to Reproduce: Detailed steps to reproduce the issue
- Proof of Concept: If possible, include a minimal proof of concept
- Environment: Version of Evolution API, OS, Node.js version, etc.
- Suggested Fix: If you have ideas for how to fix the issue
We will acknowledge receipt of your vulnerability report within 48 hours and will send you regular updates about our progress.
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Timeline: Varies based on complexity, typically 30-90 days
This security policy applies to:
- Evolution API core application
- Official Docker images
- Documentation that could lead to security issues
The following are generally considered out of scope:
- Third-party integrations (Chatwoot, Typebot, etc.) - please report to respective projects
- Issues in dependencies - please report to the dependency maintainers
- Social engineering attacks
- Physical attacks
- Denial of Service attacks
We believe in recognizing security researchers who help us keep Evolution API secure:
- We will acknowledge your contribution in our security advisories (unless you prefer to remain anonymous)
- For significant vulnerabilities, we may feature you in our Hall of Fame
- We will work with you on coordinated disclosure timing
For users deploying Evolution API:
- Always use the latest supported version
- Keep your dependencies up to date
- Use strong authentication methods
- Implement proper network security
- Monitor your logs for suspicious activity
- Follow the principle of least privilege
Security updates will be:
- Released as patch versions (e.g., 2.3.1 → 2.3.2)
- Documented in our CHANGELOG.md
- Announced in our community channels
- Tagged with security labels in GitHub releases
For any questions about this security policy, please contact:
- Email: contato@evolution-api.com
Thank you for helping keep Evolution API and our community safe! 🛡️