We take the security of Grov seriously. If you believe you have found a security vulnerability, please report it to us as described below.

• Email us at security@grov.dev with details of the vulnerability
• Include steps to reproduce the issue
• Allow us reasonable time to respond before public disclosure
• Make a good faith effort to avoid privacy violations, data destruction, or service interruption

• Access or modify data that doesn't belong to you
• Perform actions that could harm our users or services
• Use automated scanning tools that generate significant traffic

• Type of vulnerability (e.g., SQL injection, XSS, authentication bypass)
• Location of the affected source code (file and line number if possible)
• Step-by-step instructions to reproduce
• Proof-of-concept or exploit code (if possible)
• Impact assessment

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution Target: Within 30 days for critical issues

We consider security research conducted in good faith to be:

• Authorized in accordance with this policy
• Not subject to legal action from us
• Helpful to improving our security

This policy applies to:

• The Grov CLI (grov npm package)
• The Grov API server
• The Grov Dashboard

• Third-party services (Supabase, Vercel, etc.)
• Social engineering attacks
• Physical attacks
• Denial of service attacks

We appreciate the security research community's efforts. Researchers who report valid vulnerabilities will be:

• Credited in our release notes (unless they prefer anonymity)
• Listed in our Hall of Fame (coming soon)

Thank you for helping keep Grov and our users safe!