Security

Updated July 12, 2024

Groq is committed to securing and protecting our customers and their data. We take measures to proactively safeguard against security risks using industry standard practices. We are committed to addressing security issues in a timely and responsible manner.

Reporting Vulnerabilities

We encourage collaboration with the external security researcher community to help us identify and responsibly report security vulnerabilities in Groq products and systems. Groq, in its discretion, may credit or reward security researchers who find verifiable and unique vulnerabilities. 

Groq would appreciate the ability to investigate and verify a potential vulnerability, so we ask that you privately report a vulnerability before releasing it to the public. If you would like to report a suspected vulnerability or to find out more about our vulnerability management practices, please email security@groq.com.

Guidelines for Researchers

We request security researchers to adhere to the following guidelines:

  • You are at least 18 years of age, or have a parent’s or legal guardian’s permission prior to reporting. 
  • You are not a resident of a United States Government embargoed country or on a list of sanctioned individuals. 
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  • Do not modify or access data that does not belong to you.
  • Provide details of an original and previously unreported vulnerability, including information needed to reproduce and validate the vulnerability and a Proof of Concept (POC).
  • Provide Groq reasonable time to correct the issue before making any information public.

Third Party Products

If any reported issue affects a third-party library, external project, or another vendor, Groq reserves the right to forward details of the issue to that party without further discussion with the researcher. We will do our best to coordinate and communicate with researchers through this process.

All submissions will be governed by Groq’s Terms of Use.

Out of Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring MITM or physical access to a user’s device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Missing best practices in Content Security Policy.
  • Missing HttpOnly or Secure flags on cookies
  • Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
  • Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
  • Tabnabbing
  • Open redirect – unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction

Issues related to the content of model prompts and responses are out of scope.

Examples of safety issues which are out of scope:

  • Jailbreaks/Safety Bypasses (e.g. DAN and related prompts)
  • Getting the model to say bad things to you
  • Getting the model to tell you how to do bad things
  • Getting the model to write malicious code for you

Model Hallucinations are also out of scope:

  • Getting the model to pretend to do bad things
  • Getting the model to pretend to give you answers to secrets
  • Getting the model to pretend to be a computer and execute code