| Version | Supported |
|---|---|
| 1.0.x | ✅ Yes |
Email security@sovereignsystems.cc with:
- A description of the vulnerability
- Steps to reproduce
- Affected version(s)
- Any proof-of-concept code or screenshots
Do not open a public GitHub issue for security vulnerabilities.
We will acknowledge your report within 48 hours and aim to resolve confirmed vulnerabilities within 90 days. We will notify you when a fix is released.
In scope: SOSA DevOps application, auto-updater pipeline, installer artifacts.
Out of scope: Third-party runtimes (Ollama), third-party AI models, the user's own hardware and OS configuration.
We follow coordinated disclosure. Please give us 90 days to investigate and patch before public disclosure. We will credit reporters in the release notes unless you prefer anonymity.