Plain-language summary
If you’ve found a potential security issue with anything we operate, njuru.com, technooptics.com, advottic.com, taxottic.com, or rollsanddigs.com , please tell us. We’ll respond, work with you on a fix, and won’t take legal action against good-faith research that follows this policy.
1. How to report
Email security@njuru.com with:
- A description of the issue and where you found it (URL or specific feature).
- Reproduction steps so our team can confirm the finding quickly.
- Any proof-of-concept artefacts, logs, or screenshots that help.
- Your name (or a handle) and how you’d like to be credited if we acknowledge the report publicly.
For sensitive details we will accept a PGP-encrypted message; ask for our key when you write. The same email channel can be reached via the machine-readable pointer at /.well-known/security.txt (RFC 9116).
2. What you can expect from us
- An acknowledgement within 3 business days of your report.
- A working triage with a severity assessment within 10 business days.
- Status updates as we work toward a fix.
- Public credit (with your permission) once the issue is resolved.
- A clear answer when we decide a finding is out of scope or accepted as risk, we don’t leave reporters in the dark.
3. Safe-harbour terms
We will not pursue legal action against, or initiate law-enforcement investigation of, anyone who:
- Engages in good-faith research consistent with this policy.
- Reports vulnerabilities promptly and gives us a reasonable time to fix them before public disclosure.
- Avoids privacy violations, service disruption, data destruction, or unsafe interaction with anyone else’s account or data.
- Stops testing and notifies us immediately if they encounter sensitive data (PII, credentials, financial information, legal-case data, etc.).
Where possible, please test against accounts you own. Do not pivot from one finding to data exfiltration. Do not use destructive tooling or denial-of-service techniques.
4. Scope
In scope, any production service we operate at the domains listed above, including their APIs and the “Ask Bella” assistant.
Out of scope, third-party services we depend on but don’t control (e.g. our email-delivery provider, registrar, or CDN), social-engineering attempts against staff or contractors, physical security, automated scanner output that lacks a working proof-of-concept, theoretical issues with no demonstrable impact, descriptive disagreements (e.g. UX critiques), and reports about subdomain takeovers of domains we do not own.
Examples of issues that are not security findings, and that we’ll usually decline to act on:
- Missing security headers on routes that don’t serve sensitive responses.
- Self-XSS that requires the victim to paste attacker-controlled code into their own console.
- Clickjacking on pages without state-changing actions.
- Open redirects without security impact (no token, no session).
- SPF / DKIM / DMARC configuration on domains we don’t send mail from.
5. Disclosure timing
We aim to fix high-severity issues within 30 days, medium within 60, and low within 90. We ask reporters to keep findings private until we’ve had a chance to address them. If we’re not making progress and you’d like to coordinate disclosure, write to us and we’ll work it out together.
6. Acknowledgements
We’re grateful to the people who’ve helped us keep the Njuru group safe. With permission, we list them here once their finding has been addressed.
, No public acknowledgements yet. If your finding has been resolved and you’d like to be added, please write to security@njuru.com.
7. Reporting abuse
For non-security abuse (impersonation, spam, copyright issues, content complaints), please use the appropriate channel: abuse@njuru.com for general abuse, /dmca for copyright. For everything else, hello@njuru.com.
8. Anti-phishing notice
Njuru and our ventures will never ask you to share passwords, social security numbers, full payment card numbers, or copies of identity documents over email or chat. If you receive a message claiming to be from us asking for any of those, please forward it to security@njuru.com and do not respond. Legitimate communication from us will come from @njuru.com, @technooptics.com, @advottic.com, @taxottic.com, or @rollsanddigs.com.
This document was last updated on November 1, 2024. We may update it from time to time. We’ll post any changes here, and where the changes are material we’ll do our best to let you know.