Legal Information

Security Vulnerability Reporting — gro.now

Last updated: 26 May 2026

We take the security of the gro.now platform and the data entrusted to us seriously. If you believe you have found a security vulnerability in gro.now or related Pwron infrastructure, we ask you to report it to us privately so we can investigate and address it.

How to report

Please send your report to security@gro.now.

A useful report includes:

  • a clear description of the vulnerability;
  • the affected URL, endpoint, or component;
  • reproduction steps (proof of concept) — at the minimum level needed to demonstrate the issue;
  • the potential impact as you see it;
  • your contact details (so we can follow up).

What you can expect from us

  • We will acknowledge receipt of your report, typically within one business day.
  • We will review the report and assess the impact and severity.
  • We will keep you reasonably informed about the status, at our discretion.
  • We will not take legal action against good-faith researchers who follow this policy.

What we ask from you

  • Do not access, modify, or delete user data beyond what is strictly necessary to demonstrate the vulnerability.
  • Do not disrupt the platform, its users, or its availability.
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it.
  • Do not use automated scanning that materially impacts platform performance.

Out of scope

The following are generally out of scope or considered low-risk and may not be prioritised:

  • denial-of-service testing;
  • social engineering of Pwron employees, contractors, or users;
  • physical security testing;
  • reports from automated scanners without manual validation;
  • missing best-practice headers without demonstrated impact;
  • vulnerabilities affecting outdated browsers or operating systems no longer supported by their vendors.

What we do not offer

We do not currently operate a paid bug bounty programme. We do not offer monetary rewards for vulnerability reports. We may, at our discretion and with your consent, acknowledge your contribution publicly.

Coordinated disclosure

We follow the principle of coordinated disclosure. We ask researchers to give us a reasonable period to address a reported vulnerability before any public disclosure. We are happy to coordinate disclosure timing together with you.

Legal note

This page is informational and does not create a contract or legal obligations between you and Pwron LLP. We retain the right to update this page from time to time.

Contact: security@gro.now