Vulnerability disclosure.

Scope

In scope: the engrava Python package on PyPI and its source at github.com/sovantica/engrava, Engrava Pro, and the engrava.ai website (including the /docs subpath when live).

Out of scope: Sovantica-wide infrastructure (report to security@sovantica.ai when the studio site's policy is live), third-party services that engrava integrates with (report upstream), and rate-limit or denial-of-service findings on public static surfaces — engrava.ai is a static site and has no server-side state to protect.

What to send

A short description of the issue, reproduction steps, the affected version (pip show engrava or the commit SHA), and your assessment of the impact. If you have a proof-of-concept, attach it — do not post it publicly while the issue is open.

Do not include personally identifying data harvested from a live target. A synthetic reproduction is enough.

What to expect

Initial acknowledgment within three business days. A status update within ten business days, including a triage severity and a rough fix timeline. If the report turns out to be a known issue or out of scope, we will say so directly rather than leave the thread silent.

engrava is developed by a small team. Complex fixes can take weeks. We will tell you what is happening and when we expect a release.

Coordinated disclosure

We prefer coordinated disclosure: hold the finding until a patched release is on PyPI and a release note is published. Default embargo window is ninety days from your initial report, extendable by mutual agreement for findings that require schema migration or cross-ecosystem coordination.

Credit: if you want public credit, we will add your name and a link of your choice to the release note and, if the finding warranted a CVE, to the advisory. Anonymous reports are equally welcome.

Out-of-band

If email is compromised or unreachable, open a GitHub Security Advisory on github.com/sovantica/engrava/security/advisories. Do not open a public issue for a live vulnerability.