Security

We take security seriously. This page describes our public security commitments and our Vulnerability Disclosure Program (VDP) so researchers can report issues to us safely.

Scope

• growthrxlabs.com — the marketing site (this site)
• app.growthrxlabs.com — the Peptide OS Service
• Public APIs at app.growthrxlabs.com/api/*

Out of scope: third-party services we don't operate (Formspree, Google, Vercel, Supabase, Resend, Twilio) — report those to their respective programs.

Security posture

• Transport security — TLS 1.2+ enforced; HSTS preload-eligible
• Storage encryption — AES-256 at rest across all data stores
• Authentication — bcrypt password hashing, single-use invite tokens with database-level claim guards
• Tenant isolation — Row-Level Security policies at the database tier
• Audit logging — all access to sensitive records is logged with actor, action, timestamp
• Rate limiting — at the edge for auth, webhook, upload, and general API endpoints
• Content Security Policy — strict script-src allowlist; no inline scripts beyond what's explicitly approved
• Dependency scanning — automated vulnerability scans on every deploy
• Bot/scanner filtering — known offensive UAs blocked at the edge

Vulnerability Disclosure Program

We welcome reports

If you discover a security vulnerability in our scope above, please report it. We will not pursue legal action against researchers who:

• Make a good-faith effort to follow this policy
• Avoid privacy violations, destruction of data, and interruption of the Service
• Give us reasonable time to investigate and remediate before public disclosure
• Do not exploit the vulnerability beyond what is necessary to demonstrate it

How to report

Email security@growthrxlabs.com with the subject line Security Report. Include:

• Description of the vulnerability
• Steps to reproduce
• The affected URL or endpoint
• The potential impact
• Your name and how we should credit you (optional)

For sensitive reports, you can encrypt the email using the PGP key linked from /.well-known/security.txt.

What you can expect

• Acknowledgement within 2 business days
• Triage and initial assessment within 5 business days
• Status updates at least every 7 days while we work on remediation
• Credit in our security acknowledgments page (with your permission)

We currently do not run a paid bug bounty program. We are happy to discuss credit, swag, and acknowledgement as recognition.

Out-of-scope reports we generally do not act on

• Missing security headers without a demonstrated exploit (we use a defensible baseline; researchers should show real impact)
• Theoretical CSRF on logged-out endpoints with no state-change capability
• Self-XSS that requires the victim to attack themselves
• Rate-limit issues on non-sensitive endpoints below practical-abuse thresholds
• Reports generated solely by automated scanners with no verified impact
• Social engineering of GrowthRx employees or customers
• Physical attacks against GrowthRx offices or staff

Incident response

Our incident response process follows NIST SP 800-61 patterns: detection, triage, containment, eradication, recovery, and post-incident review. Customer-affecting incidents trigger notification per our Privacy Policy and the HIPAA Notice for clinic customers.

Coordinated disclosure

We follow coordinated disclosure principles. We ask researchers to give us reasonable time to remediate (typically 90 days for serious issues, 30 days for less severe) before public disclosure. We will work with researchers on appropriate disclosure timing.

Safe harbor

Activities conducted in a manner consistent with this policy will be considered authorized conduct under the Computer Fraud and Abuse Act (CFAA) and similar laws. We waive any DMCA claim against you for circumventing the technological measures we have used to protect the in-scope assets. We will not bring a legal action against you for activity that is consistent with this policy.

Contact

Security questions or reports — security@growthrxlabs.com.