Security
Found a vulnerability? We want to hear from you. Here is how to reach us, what is in scope, and what happens next.
Report a vulnerability
Email us directly. Please do not open a public issue for a security problem — a private report keeps other users safe while we prepare a fix.
security@sovrium.comA useful report usually includes:
The affected version, component, or URL.
Clear steps to reproduce — a proof of concept helps most.
The impact you observed, and how you found it.
How we can credit you, if you would like acknowledgment.
Scope
Sovrium is source-available and self-hosted. That shapes what we can act on:
In scope: the Sovrium engine and its source, this website, and the official binary and container images.
Your deployment: you run and secure your own instance. We will happily advise, but we cannot access or patch a server we do not host.
Out of scope: findings that require a compromised host, social engineering, or denial-of-service by volume alone.
What to expect
We practise coordinated disclosure and read reports in English and French.
We aim to acknowledge your report within a few business days.
We will keep you posted as we investigate and work on a fix.
We disclose publicly once a fix ships, and credit you if you wish.
Trust posture
Sovrium is built to be owned, not rented: your data and your config stay on infrastructure you control. The source is available under a licence that becomes fully open over time.
This policy covers the Sovrium project itself. For a security question about a specific deployment, start with your operator.