Security Disclosures

Last Updated: 2020-09-18

We've released Grouparoo as open source to make it easy for developers like yourself to see how it works, and to make it easier to identify bugs and security issues. If you believe you have identified a security issue, rather than open an Issue or Pull Request, we ask that you share the details of the issue with us via email first. Doing so will allow us to plan how to address the issues and release a new version before publicly disclosing the problem. Feel free to work on a patch in your own Fork to share with us, but again, please do not yet open a Pull Request without coordinating with us.

If you believe you have found a security vulnerability with any Grouparoo product, or a library we rely on, please email

As an early-stage startup, we do not yet have a formal bug-bounty program. We do plan to add a Bug Bounty program as we grow.

To help monitor for security issues and disclosures, we employ automated dependency monitoring via: