Vulnerability Disclosure

Reporting a security issue to Kovira

We welcome reports from security researchers and the wider community. This page sets out what is in scope, our safe harbour position, how to reach us, and the response timelines you can expect.

How to report

Email security disclosures to the address below. Please include reproduction steps, the affected URL or endpoint, the impact you observed, and any supporting screenshots or proof-of-concept payloads. If you can keep the writeup self-contained (no external links to drive-by hosting), that helps us triage faster.

security@kovira.app

PGP encryption is optional. If you would like to send an encrypted report, request our public key in your initial message and we will respond with the current key fingerprint before you send sensitive payloads.

Response timelines

We aim to be predictable. The targets below are commitments we make to anyone who reports an issue in good faith.

Acknowledge

Within 5 business days of receipt. You will hear from a human, not an autoresponder.

Triage

Within 10 business days. We will share whether the report is accepted, our severity assessment, and a rough remediation timeline.

We will keep you informed through to remediation, and will coordinate a public disclosure date with you if one is appropriate.

Scope

These are the surfaces we accept reports against, and the categories we ask researchers not to test.

In scope

  • kovira.app (marketing site and public surfaces)
  • app.kovira.app (the Kovira product)
  • Public API endpoints under app.kovira.app
  • Supabase edge functions exposed under the kovira.app domain

Out of scope

  • Third-party services and SaaS that Kovira integrates with (report those to the relevant vendor)
  • Social engineering of Kovira staff, customers, or contractors
  • Denial-of-service, volumetric, or resource-exhaustion attacks
  • Physical attacks against Kovira offices, infrastructure, or personnel
  • Findings derived from automated scanners with no demonstrated exploitability
  • Reports of missing best-practice headers without an exploitable impact
  • Self-XSS, clickjacking on pages without sensitive actions, or rate-limit gaps without impact

Safe harbour

Kovira will not pursue legal action against researchers who act in good faith and follow this policy. Specifically, if you:

  • Test only assets listed in the in-scope list above.
  • Make a good-faith effort to avoid privacy violations, data destruction, or service degradation.
  • Stop testing as soon as you have enough evidence to demonstrate the issue, and do not exfiltrate more data than the minimum required.
  • Give us a reasonable opportunity to investigate and remediate before disclosing publicly.
  • Do not access, modify, or retain data belonging to other Kovira customers.

We consider research conducted under this policy to be authorised, lawful, and not in breach of our terms of service. If a third party initiates legal action against you for activity that complies with this policy, we will make it known that the activity was authorised.

Recognition

We maintain an internal hall of fame for researchers whose reports lead to a fix. With your permission, we will list your name (or handle) once the issue is resolved. Kovira does not currently run a paid bounty programme, so recognition is the thank-you we can offer alongside a prompt fix.

For the broader security posture (tenant isolation, RBAC, MFA, audit, encryption, vault), see the Kovira security overview.