Responsible Disclosure Policy

Growfin will engage with external security researchers when vulnerabilities are reported according to the rules set about in the responsible disclosure policy.

‍

Rules

Growfin welcomes reports from external security researchers who act in good faith and follow the rules outlined in this Responsible Disclosure Policy. To be eligible for recognition and ensure a safe and productive process, you must adhere to the following guidelines:

1. All submissions must be within the defined scope outlined in this policy.
   
2. Any information related to the vulnerability must be kept strictly confidential between you and Growfin indefinitely.
   
3. Public disclosure of the vulnerability in any form or medium is not permitted.
   
4. You must not perform any actions that could degrade, damage, or disrupt Growfin’s services or data.
   
5. Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) testing is strictly prohibited.
   
6. You waive any legal claims or liabilities against Growfin arising from your submission, provided it complies with this policy.

‍

Requests for Compensation

Growfin does not offer monetary compensation for vulnerability reports submitted under this policy. Any request for payment or reward will be considered a violation of the Responsible Disclosure Policy and may render the submission ineligible for further review.

However, at its sole discretion, Growfin may choose to send non-monetary tokens of appreciation, such as branded swag, for valid and impactful findings.

‍

Scope

In Scope:

The following assets are considered within the scope of this program:

• Growfin's website: https://growfin.ai
• Growfin's web application: https://{subdomain}.growfin.ai

Researchers are encouraged to focus on vulnerabilities affecting the security, confidentiality, integrity, or availability of these systems.
‍

Out of scope:

The following are strictly out of scope and must not be tested or reported:

• Social engineering (e.g., phishing, impersonation of employees or customers)
• Denial-of-Service (DoS or DDoS) attacks or attempts to disrupt service availability
• Use of automated tools or scripts that could generate excessive traffic or impact system stability
• Spelling errors, grammatical issues, or other non-security-related content flaws
• Cosmetic or UX/UI issues that do not pose a security risk
• Issues that do not affect the latest version of modern web browsers
  
• General security best practices without a demonstrable impact
  
• Duplicate issues reported across multiple subdomains
  
• Self-XSS (Cross-Site Scripting that can only be triggered by the user themselves)
  
• Open redirect vulnerabilities without a demonstrated security impact
  
• Brute force attacks of any kind
  
• Man-in-the-Middle (MitM) attacks
  
• Clickjacking without demonstrable security risk or impact
  
• Publicly disclosed or non-sensitive Google API keys
  
• Verbose error messages that do not disclose sensitive information
  
• CORS misconfigurations on non-sensitive endpoints
  
• Absence of cookie flags (e.g., HttpOnly, Secure, SameSite)
  
• Missing or misconfigured security headers (e.g., X-Frame-Options, Content-Security-Policy)
  
• Tab-nabbing issues
  
• Host header injection without proven security impact
  
• Cross-domain referrer leakage
  
• Email spoofing or issues related to SPF, DKIM, or DMARC records
  
• Email bombing or spamming tests
  
• Software or server version disclosures
  
• Issues that rely on highly unlikely or unrealistic user interactions
  
• Broken link hijacking (e.g., abandoned social media URLs)
  
• Reports of weak SSL/TLS configurations without exploitable impact
  
• Disclosure of API keys or tokens that do not expose sensitive data or systems
  
• Physical security attacks or those requiring physical access to a device
  
• Reports involving recently disclosed zero-day vulnerabilities in third-party software (unless proven exploitable in Growfin’s context)
  
• Reports that lack evidence of actual exploitation or impact
  
• Presence or retention of EXIF data in images — this is intentional and by design for customer use cases
  
• Known issues already reported or acknowledged by the Growfin team
  
  

How to report

All vulnerabilities must be reported to security@growfin.ai with the following details:

Details:
Full Name:
Mobile Number:
LinkedIn Profile:
Bug Details:
Name of the Vulnerability:
Description of Vulnerability:
Proof of concept:
Detailed steps to reproduce:

‍

Growfin’s Commitment to Researchers

As long as you comply with the terms and guidelines set forth in this Responsible Disclosure Policy, Growfin makes the following commitments:

No Legal Action: Growfin will not pursue civil or criminal legal action against you, nor will we initiate contact with law enforcement, for security research conducted in good faith and in accordance with this policy—provided no harm is caused to Growfin, its customers, or its systems.
We consider such activities to be "authorized conduct" under the Computer Fraud and Abuse Act (CFAA) of 1986.

• Collaboration: We will engage with you in good faith to understand and validate the reported vulnerability and work toward an appropriate resolution.
  
  
• Transparency: Upon verifying the report’s authenticity, we will keep you reasonably informed of the timeline and status of the fix.

‍

Public disclosure

By default, this program operates in a strict non-disclosure mode:

Public disclosure of any vulnerability reported under this program is strictly prohibited.

Researchers must not share, publish, or otherwise disclose details of the vulnerability in any public forum, blog, social media, or other medium.

Any unauthorized disclosure will be considered a violation of this policy and may result in legal action or penalties in accordance with applicable laws.