Skip to main content

Security

Found a vulnerability? We want to hear from you. Here is how to reach us, what is in scope, and what happens next.

Report a vulnerability

Email us directly. Please do not open a public issue for a security problem — a private report keeps other users safe while we prepare a fix.

security@sovrium.com

A useful report usually includes:

The affected version, component, or URL.

Clear steps to reproduce — a proof of concept helps most.

The impact you observed, and how you found it.

How we can credit you, if you would like acknowledgment.

Scope

Sovrium is source-available and self-hosted. That shapes what we can act on:

In scope: the Sovrium engine and its source, this website, and the official binary and container images.

Your deployment: you run and secure your own instance. We will happily advise, but we cannot access or patch a server we do not host.

Out of scope: findings that require a compromised host, social engineering, or denial-of-service by volume alone.

What to expect

We practise coordinated disclosure and read reports in English and French.

We aim to acknowledge your report within a few business days.

We will keep you posted as we investigate and work on a fix.

We disclose publicly once a fix ships, and credit you if you wish.

Trust posture

Sovrium is built to be owned, not rented: your data and your config stay on infrastructure you control. The source is available under a licence that becomes fully open over time.

This policy covers the Sovrium project itself. For a security question about a specific deployment, start with your operator.