悟る · satoru

Security & Vulnerability Disclosure

We take the security of your grow data seriously and welcome reports from good-faith researchers.

How to report

Email phil@growsatoru.com with a clear description, the steps to reproduce, and the potential impact. Please give us a reasonable chance to investigate and remediate before any public disclosure. We'll acknowledge your report and keep you updated as we work on a fix. A machine-readable contact is published at /.well-known/security.txt.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will consider that research authorized, we will not pursue or support legal action against you (including under the Computer Fraud and Abuse Act or the DMCA's anti-circumvention provisions) for accidental, good-faith violations, and we will work with you to understand and resolve the issue quickly. This authorization extends only to conduct that follows this policy; it does not bind any third party, and you remain responsible for complying with all applicable laws.

Rules of engagement

  • Only test against accounts and data you own or have explicit permission to access.
  • Do not access, modify, delete, or exfiltrate other users' data. If you encounter someone else's data, stop and report it immediately.
  • Make a good-faith effort to avoid privacy violations, service disruption, and data destruction.
  • Use only test data; delete any data you retrieve in the course of research as soon as it's no longer needed.
  • Give us a reasonable time to remediate before public disclosure, and coordinate timing with us.

In scope

The Satoru web application and APIs at growsatoru.com.

Out of scope

  • Denial-of-service (DoS/DDoS), volumetric/load testing, and rate-limit brute-forcing.
  • Social engineering, phishing, or physical attacks against Satoru, its users, or staff.
  • Spam, or reports generated solely by automated scanners without a demonstrated, exploitable impact.
  • Vulnerabilities in third-party services we rely on (e.g. our hosting, database, payment, or email providers) — please report those to the respective vendor.
  • Missing best-practice headers or theoretical issues with no realistic exploit path.

Rewards

We do not currently run a paid bug-bounty program, but we genuinely appreciate responsible reports and will gladly credit researchers (with your permission) once an issue is resolved.

© 2026 Satoru. All rights reserved.

Privacy PolicyTerms of Service← Back to sign in