SLAs at a glance
How to report
In scope — what we want
Not actionable
These categories aren’t dismissed as a class — they’re not actionable as vulnerability reports without a demonstrated exploit path.Out of scope
Tenant-app-level vulnerabilities owned by the tenant operator — for example, SQL injection in a tenant’s own Postgres schema, or a misconfigured form in a tenant’s app — are the responsibility of the tenant operator, not gavAI. Report those directly to the operator. If such a report reaches us in error, we forward it to the relevant workspace owner.