Vulnerability disclosure.

In scope: the sovantica.ai website, the Sovantica GitHub organization at github.com/sovantica, and Sovantica-wide operational infrastructure (email, DNS, SSL, hosting, the studio's shared identity providers).

Out of scope: product-level issues in Engrava — those route to the product-specific channel at engrava.ai/security (contact: security@engrava.ai). Third-party services the studio integrates with (email provider, DNS registrar, hosting) are out of scope; report to the vendor directly. Rate-limit or denial-of-service findings on public static surfaces are out of scope — sovantica.ai is a static site with no server-side state to protect.

A short description of the issue, reproduction steps, the affected surface (URL, GitHub resource, DNS record, etc.), and your assessment of the impact. If you have a proof-of-concept, attach it — do not post it publicly while the issue is open.

Do not include personally identifying data harvested from a live target. A synthetic reproduction is enough.

Initial acknowledgment within three business days. A status update within ten business days, including a triage severity and a rough remediation timeline. If the report turns out to be a known issue or out of scope, we will say so directly rather than leave the thread silent.

Sovantica is a small studio. Complex fixes can take weeks. You will be told what is happening and when a remediation is expected, rather than left on a silent thread.

We prefer coordinated disclosure: hold the finding until a remediation is in place and a public note is ready. Default embargo window is ninety days from your initial report, extendable by mutual agreement for findings that require vendor coordination or cross-ecosystem response.

Credit: if you want public credit, we will add your name and a link of your choice to the advisory or release note. Anonymous reports are equally welcome.

If email is compromised or unreachable, open a private advisory on a Sovantica-owned repository at github.com/sovantica via the repository's Security tab. Do not open a public issue for a live vulnerability.