Vulnerability Disclosure Policy

This policy covers the following Novantra surfaces:

• The Managed Cloud service hosted at cloud.novantra.io and the supporting APIs.
• The Novantra marketing website at novantra.io including the waitlist, contact, and signup endpoints.
• Installer artefacts and software components used to run a Novantra Sovereign deployment (Docker images, deb packages, MSI installers, and the SBOM material we publish alongside them).
• The customer portal at portal.novantra.io when published.

Out of scope:

• Third-party infrastructure that we use as a subprocessor (Neon, Upstash, Cloudflare, Zoho, Stripe, Google, GitHub, AWS, Azure). Report vulnerabilities in those products to their respective security teams.
• Sovereign deployments running on customer infrastructure that we do not operate. The operator of that deployment is responsible for the runtime; reports about how the operator has configured their deployment should be sent to that operator.
• Social engineering of Novantra staff or customers; physical attacks on Novantra premises; denial-of-service or load-generation testing against shared infrastructure.

Send vulnerability reports to security@novantra.io. Please include:

• The affected component and the environment you tested against (Managed Cloud, marketing website, Sovereign installer build version, etc.).
• A clear description of the vulnerability, the steps required to reproduce it, and the impact you observed.
• Any proof-of-concept or supporting artefacts; please redact real customer data if you incidentally encountered it.
• A way for us to follow up with you (email is fine; we can switch to encrypted channels on request).

When you conduct security research in good faith and consistent with this policy, Novantra will not pursue legal action against you under the Computer Fraud and Abuse Act (United States) or equivalent legislation (the Computer Misuse Act in the United Kingdom; the NIS2 Directive in the European Union; the Cybersecurity Law of the People’s Republic of China where applicable). We will not file a criminal complaint, will not request that your internet service provider or hosting provider deny service to you, and will not initiate a private lawsuit for the research itself. Good-faith research means: you stay within the scope above; you make a reasonable effort to avoid privacy violations, destruction of data, or interruption or degradation of the Service; you do not exfiltrate Customer Data beyond the minimum required to demonstrate the issue; you give us a reasonable opportunity to respond before disclosing the finding publicly. If your research causes accidental harm, tell us promptly — that is also good-faith conduct.

Our handling targets for reports received under this policy:

• Acknowledgement: within 3 business days of receipt.
• Initial triage and severity assessment: within 10 business days of receipt.
• Regular status updates at least every 14 days until the report is resolved or closed.

Indicative resolution targets by severity (CVSS-aligned) are Critical within 7 days, High within 30 days, Medium within 90 days, and Low on a best-effort basis. These specific resolution targets are to be confirmed before general availability; they become a public commitment only once the Sovereign tier ships its supporting SLA.

Researchers who report verified vulnerabilities may be credited in our security acknowledgements page or in release notes, subject to their consent. Novantra does not currently offer a paid bug bounty; we will publish updates here if that changes.

For security-related questions or to coordinate disclosure, email security@novantra.io.