Responsible Disclosure

Security vulnerability reporting guidelines

Quick Summary

Groomfiy welcomes reports of security vulnerabilities from the security research community. Please email security@groomfiy.com with your findings.

How to Report a Vulnerability

When reporting a security vulnerability, please include:

  • A description of the vulnerability
  • Steps to reproduce
  • Impact assessment
  • Proof of concept (if applicable)

Scope

Scope: All systems under *.groomfiy.com.

Out of Scope

  • Denial of service attacks
  • Social engineering
  • Physical security testing
  • Third-party services (Stripe, Twilio, Resend, etc.) — report directly to those providers
  • Automated scanning that generates excessive traffic

Safe Harbor

Researchers acting in good faith and within the rules above will not be pursued under the Computer Fraud and Abuse Act (CFAA), DMCA, or similar laws.

Reward

We are not currently running a paid bug bounty program. Valid submissions may be eligible for recognition and future bounty consideration.


Version: v1.0
Last Updated: 2026-05-08
Effective Date: 2026-05-08