TROVE
Security & Responsible Disclosure
Short version: If you've found a security issue in Trove, please tell
us before telling the internet. Email
trovefi-support@googlegroups.com and we will respond
within 3 business days. We do not sue, threaten, or report
good-faith researchers.
1. How we handle your data
Trove was built privacy-first. The detail lives in the Privacy Policy, but the summary that matters for security is:
- Bank statements are never stored on our servers. In the web app they are parsed in transient memory and discarded the moment the dashboard renders. In the Android app they are parsed entirely on the device.
- Only anonymous descriptions leave the device when the AI categorisation API is called — never amounts, dates, account numbers, balances, or your name.
- Authentication uses Firebase Auth with Google as the identity provider. We never see your password.
- All traffic is TLS 1.2+. Backend lives on Cloud Run in asia-south1 (Mumbai).
2. Reporting a vulnerability
Email trovefi-support@googlegroups.com with:
- A short description of the issue
- Steps to reproduce, or a proof-of-concept
- The version of the app or commit hash if you know it
- Any account / email you used while testing (so we can scrub it)
Please do not exploit the issue beyond what's needed to confirm it, and please don't access data that isn't yours. Don't publicly disclose the issue until we've had a reasonable chance to fix it (we aim for 30 days for high-severity, 90 days for everything else).
Email
Response SLA
Acknowledgement within 3 business days
Disclosure
Coordinated; 30 / 90 day target depending on severity
3. Scope
In scope:
- https://trovefi.in and any subdomain we operate
- The Trove Android app (in.trovefi.trove_mobile)
- The categorisation and insights backend APIs
Out of scope:
- Third-party services we depend on (Google Cloud, Firebase, OpenAI/Gemini, payment gateways). Please report to the relevant vendor.
- Reports based purely on missing best-practice headers without a demonstrable impact
- Social-engineering, physical attacks, or DoS against the production service
- Issues already publicly disclosed
4. What we promise
- No legal action against researchers acting in good faith
- Public acknowledgement on this page (with your consent) for valid reports
- Honest, technical replies — not lawyer-speak
5. Hall of fame
Coming soon. We'll credit the first valid disclosure here with the reporter's name and link (if they want it public).
6. Production controls (overview)
- HTTPS everywhere; HSTS enabled at the edge (Firebase Hosting / Google Frontend).
- Firebase ID tokens are verified server-side on every protected endpoint.
- Mobile app pins the package name + SHA-1 fingerprint in Firebase OAuth settings.
- No persistent transaction storage on our infrastructure — see the Privacy Policy §2.4 for the mobile-app data flow.
- Dependencies are kept current; we run flutter pub outdated and Gradle dependency checks on every release.