Groomba Docs Changelog Pricing
Log in Add to Slack

Vulnerability Disclosure Policy

Groomba takes the security of customer data seriously. If you believe you have found a security vulnerability in Groomba, we want to hear from you. This page describes how to report, what we ask of you in return, and what you can expect from us.

1. Scope

This policy applies to vulnerabilities discovered in any of the following:

  • The Groomba web application at groomba.ai and www.groomba.ai
  • The Groomba Slack application
  • The Groomba Jira Cloud OAuth integration

2. Out of scope

The following are not covered by this policy:

  • Vulnerabilities in third-party services Groomba depends on (Slack, Atlassian, Stripe, Heroku, Bugsnag, New Relic). Please report those directly to the respective provider.
  • Denial-of-service attacks, volumetric testing, or any test that degrades the service for other users.
  • Social engineering, phishing, or physical attacks against Groomba staff, users, or infrastructure.
  • Findings produced by automated scanners that do not demonstrate concrete impact.
  • Missing security headers or best-practice configuration items without a proven exploitation path.
  • Self-XSS, clickjacking on pages without sensitive state, and other low-impact theoretical findings.
  • Brute-force or credential-stuffing attacks against authentication endpoints.
  • Issues affecting only end-of-life browsers or operating systems.

3. How to report

Email hello@groomba.ai with the subject line "Security report" and include:

  • A description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions
  • Any proof-of-concept code, screenshots, or supporting material
  • Your preferred name for any future acknowledgment (optional)

If you would like to send encrypted information, mention this in your first email and we will respond with a PGP key.

4. What you can expect from us

  • We will acknowledge your report within 5 business days.
  • We will provide an initial severity assessment and remediation timeline within 10 business days.
  • We will keep you informed of progress and notify you when the issue is resolved.
  • With your permission, we will acknowledge your contribution once a fix is deployed.

5. Safe harbor

If you make a good-faith effort to comply with this policy during your security research, we will consider your research authorized. We will not initiate or support legal action against you, and we will work with you to understand and resolve the issue quickly. Good-faith effort means:

  • You report the vulnerability promptly and confidentially.
  • You do not access, modify, or delete data belonging to other users beyond what is strictly necessary to demonstrate the vulnerability.
  • You do not degrade the service for other users (no automated scanners, no denial-of-service, no brute force).
  • You do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate.

6. Coordinated disclosure

We ask that you give us a reasonable window to investigate and remediate before publicly disclosing your findings. We aim to fix high-severity vulnerabilities within 90 days of confirmation; less severe issues may take longer. If you intend to publish your research, please coordinate with us so customers are protected before disclosure.

7. Rewards

Groomba does not currently operate a paid bug bounty program. With your permission, we will acknowledge your contribution once a fix is deployed.

8. Contact

Email: hello@groomba.ai
Subject line: "Security report"
Machine-readable index: /.well-known/security.txt

This policy is effective as of May 12, 2026, and may be updated as our security program evolves.