Security Center

Security Policy & Vulnerability Disclosure

How Frogeye secures its platform, handles data, responds to incidents — and how security researchers can work with us responsibly.

Security Policy v1.0 VDP v1.0 Effective May 2026 security@frogeye.ai
Section 1

Introduction & Commitment

Frogeye exists to make security analysis fast and accessible for every developer. We hold ourselves to the same standard we help others achieve: security is not an afterthought, it is an engineering discipline embedded in every layer of how we build and operate our platform.

This policy defines Frogeye's security posture, technical controls, and obligations to users. It applies to all Frogeye systems and personnel.

Scope

SystemDomain
Frontend applicationfrogeye.ai
MCP (Model Context Protocol) servermcp.frogeye.ai
npm SDK@frogeye/sdk
npm connection library@frogeye/connect
Supporting infrastructureNeon PostgreSQL, Upstash Redis, GCP Secret Manager, Vercel CDN
Section 2

Infrastructure Security

Cloud Run — MCP Server (mcp.frogeye.ai)

The Frogeye MCP server runs as a managed containerized workload on Google Cloud Run in us-central1:

  • Non-root execution: Containers run as user node (UID 1000). Root access is never granted inside the container.
  • Immutable containers: Each deploy produces a new, immutable container image. No in-place mutation of running containers.
  • Automatic TLS: All traffic to mcp.frogeye.ai is TLS-terminated by GCP's managed load balancer. Certificates are provisioned and rotated automatically.
  • Health monitoring: A /health endpoint is polled continuously by Cloud Run. Unhealthy instances are replaced automatically without manual intervention.
  • No direct internet exposure: Containers are in a VPC-native network. Only Cloud Run's managed ingress routes traffic to the service. No ports are directly internet-accessible.
  • Stateless per request: The MCP server holds no session state between requests. Compromise of a single request cannot expose state from other users.

Vercel — Frontend (frogeye.ai)

  • Edge network: Vercel's global edge network absorbs DDoS traffic before it reaches application logic.
  • Automatic HTTPS: All connections are TLS-encrypted. HTTP requests are permanently redirected to HTTPS.
  • Preview isolation: Preview deployments are isolated from the production environment. They share no database connection, secrets, or allowlist.
  • Runtime: Node.js 20 (LTS). Vercel's build pipeline validates the Node version on every deploy.
  • Zero-downtime deploys: Traffic is cut over only after a successful build and health check.

Neon PostgreSQL

  • Encrypted connections: All connections require sslmode=require. Cleartext connections are rejected.
  • pgvector extension: Semantic similarity search for vulnerability patterns uses the pgvector extension (embedding <=> $1 with LIMIT enforced on every query).
  • Connection pooling: Database connections are pooled to prevent connection exhaustion under load.
  • Automatic backups: Neon provides continuous WAL-based backups with point-in-time recovery.

Upstash Redis

  • TLS-encrypted: All connections to Redis are TLS-encrypted.
  • Exclusive rate-limiting use: Redis is used solely to enforce per-IP and per-API-key rate limits. No sensitive user data, session tokens, or personal information is stored in Redis.
  • No persistence of user data: Redis data is ephemeral. No user content survives a Redis flush.

GCP Secret Manager

  • Centralized secret storage: All 21 production secrets are stored in GCP Secret Manager under the frogeye-prod- prefix.
  • Zero hardcoded credentials: No credentials, API keys, or secrets exist in source code, container images, Dockerfiles, or environment variable defaults.
  • Runtime injection: Secrets are injected at container startup via Cloud Run's native Secret Manager integration.
  • Audit logging: Every secret access is recorded in GCP Cloud Audit Logs. Unauthorized access attempts trigger alerts.
  • Cloud KMS encryption: Secrets are encrypted using Google Cloud Key Management Service before storage.
Section 3

Data Security

Data Classification

ClassExamplesHandling
Public Documentation, blog posts, marketing content No special controls
Internal Anonymized vulnerability patterns, aggregated scan statistics Access-controlled, no PII, retained indefinitely
Sensitive User emails, OAuth tokens, API key hashes, Stripe payment data Encrypted at rest and in transit, access logged, minimal retention

Encryption at Rest

  • Neon PostgreSQL: AES-256 encryption at rest for all database volumes, including the patterns, users, api_keys, and hitl_queue tables.
  • GCP Secret Manager: Encryption managed by Cloud KMS. Frogeye does not manage encryption keys directly — Google's hardware security modules protect the master keys.

Encryption in Transit

TLS 1.2 or higher is enforced on every connection in the Frogeye stack:

  • Vercel edge (frogeye.ai) — TLS 1.3 preferred
  • Cloud Run (mcp.frogeye.ai) — TLS 1.3 preferred
  • Neon PostgreSQL — TLS 1.2+, sslmode=require
  • Upstash Redis — TLS 1.2+
  • Stripe — TLS 1.2+, PCI-mandated

Data Minimization

  • Free/Anonymous tier: No account creation required. Frogeye stores only the requesting IP address and scan result metadata. No name, email, or personal identifier is collected.
  • Authenticated tiers: Email address and OAuth provider identifier only. No passwords are ever stored by Frogeye.
  • Scan input: Source code submitted for analysis is processed in-memory and is not persisted. Only the resulting vulnerability classification and metadata are stored, not raw source.

Apex Tier — Embedding Clarification

Code stays in your environment. Security analysis runs through your local MCP client. To power AI-based detection, code snippets are converted to anonymized mathematical embeddings before transmission — your raw source files are never uploaded to Frogeye. These vectors are not reversible back to source code under current embedding techniques. Users with strict data residency requirements should be aware of this data flow.

Vulnerability Pattern Anonymization

The Frogeye knowledge graph contains 1,809 vulnerability patterns derived from real codebases. Before a pattern enters the knowledge graph:

  • Repository names, file paths, author names, and commit hashes are stripped.
  • Patterns are normalized to remove project-specific identifiers.
  • Only the structural vulnerability signature and its classification are retained.

No raw repository content or identifying information is present in the patterns table.

Section 4

Access Controls

Authentication

  • Supported providers: GitHub OAuth and Google OAuth only.
  • No passwords: Frogeye never stores, hashes, or handles user passwords. Credential management is fully delegated to GitHub and Google.
  • Minimal OAuth scopes: GitHub OAuth requests read:user and user:email only — no access to private repositories unless explicitly granted. Google OAuth requests email and profile only.

API Key Management

PropertyDetail
Formatfg_live_ followed by 32 hexadecimal characters
StorageSHA-256 hash stored in database — raw key is never persisted
DisplayRaw key shown once at generation time only, never retrievable thereafter
RotationUser-initiated via dashboard; old key immediately invalidated on rotation
TransmissionVia x-api-key request header over TLS only

Allowlist & Admin Access

  • All authenticated logins pass an allowlist check. The user's email must exist in the allowlist table before a session is issued.
  • Admin functionality is gated by database-level role checks, not client-side flags.
  • No standing production database access for any team member. Production access requires deliberate action and leaves an audit trail.
  • Access permissions are reviewed quarterly. Departed team members are revoked within 24 hours of offboarding.

Rate Limiting

  • Per-IP rate limits apply to all unauthenticated endpoints.
  • Per-API-key rate limits apply to authenticated MCP endpoints.
  • Quota limits are tier-dependent and enforced at the API layer before database operations.
Section 5

Vulnerability Management & Patching SLAs

Severity Classification & Response Times

SeverityCVSS ScorePatch SLA
Critical9.0 – 10.024 hours
High7.0 – 8.97 days
Medium4.0 – 6.930 days
Low< 4.090 days

SLAs are measured from the time of confirmed internal acknowledgment, not from initial report receipt.

Dependency Scanning

  • Automated dependency scanning runs on every commit and pull request via GitHub Dependabot.
  • Dependabot alerts are reviewed weekly. Critical and High alerts block merge until resolved.
  • @frogeye/sdk and @frogeye/connect are included in the scanning scope.

Container Security

  • Container images are scanned for known CVEs on every Cloud Run deploy.
  • Base images are pinned to specific digests, not floating tags, to prevent supply chain injection.
  • Outdated base images are rotated on a regular cadence independent of application changes.
Section 6

Incident Response

Process Overview

All security incidents follow a five-phase response:

  1. Detection — Identify the incident via monitoring, alert, or external report
  2. Contain — Isolate affected systems to prevent spread (revoke API keys, block IPs, disable endpoints)
  3. Eradicate — Remove the root cause (patch vulnerability, rotate compromised credentials, redeploy clean containers)
  4. Recover — Restore normal operations with verification that the threat is eliminated
  5. Post-mortem — Document timeline, root cause, impact, and control improvements within 5 business days

Severity Levels & Response SLAs

PriorityDefinitionResponse TimeUser Notification
P0 Active data breach, complete service outage, compromised infrastructure 1 hour 4 hours if user data affected
P1 Degraded security control, partial data exposure, authentication bypass 4 hours 24 hours if user data affected
P2 Non-critical vulnerability confirmed, no active exploitation 24 hours At time of patch release
P3 Security inquiry, low-risk finding, best practice gap 48 hours Not required

Data Breach Notification

If a security incident results in unauthorized access to user personal data:

  • Affected users are notified within 72 hours of confirmed breach (GDPR Article 33 compliance).
  • Notification includes: what data was accessed, when the breach occurred, what Frogeye has done to contain it, and what users should do.
  • Where required by applicable law, supervisory authorities are notified within the same 72-hour window.
Section 7

Third-Party Security

Frogeye relies on the following third-party vendors for core infrastructure. Each is evaluated for security posture before use and reviewed annually.

VendorRoleSecurity Certifications
Stripe Payment processing PCI DSS Level 1 — Frogeye never stores, processes, or transmits raw card data
Vercel Frontend hosting & edge delivery SOC 2 Type II
Neon Managed PostgreSQL database SOC 2 Type II
Google Cloud Platform Cloud Run, Secret Manager, Cloud KMS ISO 27001, SOC 2 Type II, FedRAMP High
Upstash Managed Redis for rate limiting SOC 2 Type II
GitHub OAuth identity provider SOC 2 Type II, ISO 27001

GitHub OAuth Scope Policy

Frogeye's GitHub OAuth integration requests only read:user and user:email. It does not request access to repositories. Users who later grant repository access for extended features can revoke it at any time from their GitHub security settings.

Section 8

Security Assessments & SOC 2 Roadmap

Current Security Posture

  • Internal security reviews conducted before every major feature release
  • Automated dependency vulnerability scanning (Dependabot) on all repositories
  • Secret scanning enabled on all Frogeye GitHub repositories — committed secrets trigger immediate alerts
  • GCP Security Command Center monitoring enabled for the polygon-1296 project
  • All secret access audited via GCP Cloud Audit Logs

SOC 2 Roadmap

MilestoneTarget Date
SOC 2 Type I readiness assessmentQ2 2026
SOC 2 Type I auditQ3 2026
SOC 2 Type II observation period beginsQ4 2026
SOC 2 Type II reportQ1 2027

SOC 2 reports will be made available to enterprise customers under NDA upon request.

Penetration Testing

An independent third-party penetration test is planned for Q4 2026. The scope will include the frogeye.ai frontend, mcp.frogeye.ai API surface, and the @frogeye/sdk and @frogeye/connect npm packages.

Bug Bounty

Frogeye operates a coordinated responsible disclosure program. At this stage, rewards are recognition-based: accepted reports receive public credit in the Frogeye Hall of Fame and direct acknowledgment from the security team. A monetary bug bounty program will be evaluated following the SOC 2 Type I audit. See frogeye.ai/security for current scope and safe harbor terms.

Section 9

Employee & Contractor Security

Access Provisioning

  • All personnel with access to production systems complete a background check prior to being granted access.
  • Access follows the principle of least privilege. No team member receives standing access to production databases or GCP Secret Manager.
  • Production access requires explicit request, is time-limited, and is logged.

Security Training

  • All team members and contractors complete security awareness training within 30 days of joining.
  • Refresher training is conducted quarterly, covering phishing, social engineering, incident reporting, and secure development practices.

Offboarding

  • All system access is revoked within 24 hours of a team member's departure.
  • Offboarding checklist includes: GCP IAM revocation, GitHub organization removal, Vercel team removal, and rotation of any secrets the individual had access to.
  • Unmanaged or personal devices are never permitted to access production systems without explicit security review and MDM enrollment.
Section 10

Data Retention & Deletion

Data TypeRetention PeriodDeletion Trigger
Anonymous scan logs (IP + metadata) 90 days Automatic rolling purge
User account data (email, tier, timestamps) Account lifetime + 30 days Account deletion request
API key hashes Immediately invalidated on rotation or deletion; purged within 30 days User rotation or account deletion
Vulnerability patterns (anonymized) Indefinite Not applicable — no PII present
OAuth tokens Session lifetime only — not persisted Session expiry
Redis rate-limit counters TTL-based, typically 1–24 hours Automatic expiry

Right to Erasure

Users may request deletion of all personal data associated with their account by emailing security@frogeye.ai with subject line "Data Deletion Request." Frogeye will confirm receipt within 48 hours and complete deletion within 30 days. A confirmation email is sent upon completion.

Anonymized vulnerability patterns derived from a user's scans are not subject to deletion requests, as they contain no personally identifiable information and cannot be attributed to an individual.

Section 11

Contact

Security Vulnerabilities & Incidents
security@frogeye.ai
Responsible Disclosure Program
frogeye.ai/security
Data Protection & Privacy
privacy@frogeye.ai
Urgent Issues (P0/P1)

Include "URGENT" in subject line — automated alerting for critical keywords.

Section 1

Introduction

At Frogeye, security is foundational — not an afterthought. We build tools that developers trust to find vulnerabilities in their code, which means our own platform must be held to the highest standard. We believe that working transparently with the security research community is one of the most effective ways to achieve that standard.

This Vulnerability Disclosure Program (VDP) establishes a structured, good-faith framework for security researchers to report vulnerabilities they discover in Frogeye's products and infrastructure. This is a coordinated disclosure program — we do not currently offer monetary bug bounties, but we are committed to acknowledging, triaging, and remediating valid reports promptly, and to recognizing researchers publicly for their contributions.

We believe responsible disclosure benefits everyone: it protects Frogeye users, strengthens the broader developer security ecosystem, and gives researchers a clear, fair process with legal protection for good-faith work.

If you discover a potential security issue in any Frogeye product or service, please read this policy in full before testing or reporting.
Section 2

Scope

In Scope

The following assets are explicitly within scope for security research:

AssetDescription
frogeye.ai Primary web frontend — all subdomains (e.g., www.frogeye.ai, api.frogeye.ai)
mcp.frogeye.ai MCP (Model Context Protocol) server — the core vulnerability scanning service
@frogeye/sdk Official npm package — all published versions
@frogeye/connect Official npm package — all published versions
Frogeye API All endpoints under frogeye.ai/api/*
Pattern anonymization note: If you discover a method by which anonymized vulnerability patterns could be reverse-engineered to identify specific users, codebases, or organizations — this is an in-scope critical finding. Please report it immediately.

Out of Scope

The following are explicitly out of scope. Do not test these — doing so may result in your report being declined and could expose you to legal risk beyond our safe harbor:

  • Third-party services: GitHub, Google, Stripe, Vercel, GCP, Neon PostgreSQL, Upstash Redis — we cannot fix issues within them
  • Social engineering: Phishing, pretexting, or any deception targeting Frogeye employees, contractors, or customers
  • Physical security attacks: Attacks requiring physical access to Frogeye infrastructure or user devices
  • Denial of service (DoS/DDoS): Testing that degrades service availability violates our Rules of Engagement
  • Automated scanning without prior permission: Contact us first if you want to run automated tooling at scale
  • Missing security headers without demonstrated exploitable impact
  • Self-XSS: Cross-site scripting that affects only the authenticated user who triggered it
  • Rate limiting findings without meaningful security impact
  • Clickjacking on pages with no sensitive actions
  • Expired TLS certificates on non-production systems
  • Content injection without JavaScript execution
  • CSV injection without demonstrated impact beyond the file

If you are unsure whether your target or technique is in scope, email us before testing. We would rather answer a question than receive a report we have to decline.

Section 3

Rules of Engagement

All security research must comply with the following rules. Violation of these rules voids the safe harbor protections in Section 6.

You MUST
  • Use only test accounts you own or have explicit written permission to use
  • Stop testing immediately and report if you accidentally access real user data
  • Provide sufficient detail for us to reproduce and remediate the issue
  • Keep your findings confidential until the coordinated disclosure window has passed
  • Confirm you are operating under this policy before testing
You MUST NOT
  • Access, copy, modify, delete, or exfiltrate real user data of any kind
  • Disrupt or degrade Frogeye's service availability
  • Social engineer, phish, or deceive Frogeye employees or users
  • Publicly disclose findings before the coordinated disclosure window has passed
  • Use exploits to pivot beyond what is necessary to demonstrate impact
  • Use automated scanners at scale without prior written permission
  • Attempt to access GCP Secret Manager, Neon, or Upstash directly
  • Perform testing that could affect other users' experience or data
Section 4

Submission Process

How to Submit

Send your report to security@frogeye.ai with the subject line:

[VDP] Brief one-line description of the vulnerability

Example subject: [VDP] Stored XSS in Frogeye dashboard — pattern display field

What to Include

A high-quality report helps us triage and fix faster. Please include:

  1. Vulnerability description: What is the vulnerability class? What is the root cause?
  2. Affected component: Which URL, endpoint, npm package, or version is affected?
  3. Step-by-step reproduction: Exact steps, commands, or request payloads. Assume the reviewer is starting from scratch.
  4. Proof of concept: Screenshots, screen recordings, curl commands, or minimal PoC code. Do not include actual user data.
  5. Impact assessment: What can an attacker accomplish? What data or systems are at risk?
  6. Suggested severity: Your CVSS 3.1 score estimate (optional, but helpful)
  7. Contact information and preferred name/handle for the Hall of Fame

Sensitive Reports & PGP Encryption

For reports involving critical vulnerabilities (authentication bypass, data exposure, or access to user data), we request that you encrypt your report with our PGP key before sending. Our PGP public key will be published at https://frogeye.ai/security once our signing key is established.

Do not file GitHub issues, forum posts, or any other public disclosure about a potential security vulnerability before coordinating with us. We treat all emailed reports as confidential. We accept reports in English only.
Section 5

Response SLAs

We commit to the following response timeline for all valid, in-scope reports:

MilestoneTarget
AcknowledgmentWithin 48 hours of receipt
Initial triageWithin 5 business days
Status updateWeekly while the issue is active
Critical fix (CVSS 9.0–10.0)Within 30 days
High fix (CVSS 7.0–8.9)Within 60 days
Medium fix (CVSS 4.0–6.9)Within 90 days
Low fix (CVSS < 4.0)Best effort; no fixed deadline

If we anticipate that a fix will take longer than the target window, we will communicate this proactively and agree on a revised timeline. If we do not acknowledge your report within 48 hours, please follow up with a second email before assuming it was lost.

Section 6

Safe Harbor

Frogeye is committed to protecting security researchers who act in good faith under this policy.

Our Commitment

If you conduct security research in compliance with this VDP — specifically the Rules of Engagement in Section 3 — Frogeye will:

  • Not pursue or threaten legal action against you for your research activities
  • Not refer you to law enforcement for good-faith security testing conducted under this policy
  • Consider your research compliant with applicable computer fraud and unauthorized access laws, including the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030; the Digital Millennium Copyright Act (DMCA), 17 U.S.C. § 1201; and equivalent laws in other jurisdictions
  • Work with you in good faith to understand and remediate valid findings
  • Not disclose your identity to third parties without your consent, except as required by law

Scope of Protection

Safe harbor applies only when:

  • Your testing is limited to assets listed as In Scope in Section 2
  • You comply with all Rules of Engagement in Section 3
  • You do not access, copy, or exfiltrate real user data beyond what is necessary to demonstrate impact
  • You do not exploit the vulnerability for any purpose other than demonstrating its existence to Frogeye
  • You report the vulnerability to us promptly and do not disclose publicly before coordinated disclosure
  • You do not conduct any testing that disrupts service availability

Limitations

Safe harbor does not apply if:

  • You access systems or data beyond what is necessary to prove the vulnerability
  • You violate the Rules of Engagement
  • You disclose the vulnerability publicly before the coordinated disclosure window
  • You test out-of-scope assets
  • Your activities cause harm to Frogeye users or infrastructure

Accidental Data Access

If you accidentally access real user data during testing — even briefly — stop immediately and report it to us. Include in your report: what data you accessed, how you accessed it, and confirmation that you have not retained or transmitted it. Good-faith accidental access reported promptly is covered by safe harbor; deliberate exfiltration or retention is not.
Section 7

Recognition — Hall of Fame

Frogeye maintains a public Hall of Fame at https://frogeye.ai/security/hall-of-fame to recognize researchers who responsibly disclose valid, in-scope vulnerabilities.

Eligibility

To be listed, your report must:

  • Be the first report of that specific vulnerability (not a duplicate)
  • Be in-scope and constitute a valid security finding
  • Comply with all Rules of Engagement
  • Be submitted before any public disclosure

What We Offer

  • Public acknowledgment on the Hall of Fame — your name, handle, and a brief description of the class of vulnerability you found (with your permission)
  • Optional mention in release notes or security advisories if you agree
  • Our genuine gratitude — researchers who help us improve our security protect the developers who use Frogeye every day

What We Do Not Offer

We are an early-stage startup and do not offer monetary bug bounties at this time. We are transparent about this so researchers can make informed decisions about where to invest their time. We plan to introduce a paid bug bounty program in 2027 as the company matures and revenue scales. Researchers who have contributed during this VDP phase will be recognized as founding contributors when the bounty program launches.

Opting Out

If you prefer to remain anonymous, simply let us know and we will omit your name from the Hall of Fame. We will still remediate the issue and credit an anonymous researcher in any public advisory.

Section 8

CVE Coordination

When We Assign CVEs

For findings with a CVSS score of 7.0 or higher affecting @frogeye/sdk, @frogeye/connect, the mcp.frogeye.ai server, or Frogeye's core API — we will coordinate CVE assignment with MITRE or a relevant CNA and will list the reporting researcher in the CVE record (with their consent).

Coordinated Disclosure Timeline

Our standard coordinated disclosure window is 90 days from the date of initial report acknowledgment.

  • We request that researchers hold all public details (blog posts, conference talks, social media, proof-of-concept code) for the full 90-day window while we remediate.
  • If a fix cannot be delivered within 90 days, we will notify you at least 14 days before the window expires and negotiate an extension in good faith.
  • We will not request extensions beyond 180 days total from initial report.
  • For critical vulnerabilities with confirmed active exploitation, we reserve the right to issue an emergency advisory within 7 days — we will notify you before doing so.

After Disclosure

We actively support researchers who wish to publish blog posts, present at security conferences (DEF CON, Black Hat, BSides, etc.), or release their proof-of-concept code. We ask only that you coordinate with us before publishing — not to censor your work, but to ensure our patch is live. We will review draft write-ups within 5 business days.

Section 9

Public Disclosure Timeline

ScenarioTimeline
Standard coordinated disclosure 90 days from acknowledgment
Active exploitation detected 7 days (emergency advisory; we notify you first)
Partial fix + workaround available We may issue advisory with credit before full fix is ready
Disputed finding 30-day resolution window; researcher may proceed after if unresolved
Researcher requested extension Granted if justified; no unreasonable delays on our end

Disputed Reports

If we and the researcher disagree about severity, exploitability, or whether a finding is valid, we will:

  1. Provide our reasoning in writing within 10 business days
  2. Allow the researcher to respond with additional evidence or argument
  3. Attempt to reach consensus within 30 days of initial dispute

If the dispute remains unresolved after 30 days, the researcher may proceed with public disclosure with our knowledge. We will not pursue legal action against researchers who disclose after a good-faith 30-day dispute resolution process.

Section 10

What We Ask of Researchers

In exchange for the protections and recognition described in this policy, we ask that you:

  1. Give us reasonable time. The 90-day window exists for a reason — complex systems take time to patch safely, especially when fixes touch MCP protocol handling or database migrations.
  2. Don't weaponize the finding. Do not exploit the vulnerability against real users, sell it to third parties, or use it for any purpose other than demonstrating its existence to us.
  3. Keep it confidential. Don't share vulnerability details with anyone until after the coordinated disclosure window — not in private Discords, not in vague tweets, not in conference talk abstracts. The window protects users, not us.
  4. Provide enough detail. If we can't reproduce it, we can't fix it. Include the reproduction steps, environment details, and PoC that allowed you to find it.
  5. Talk to us. If you have questions about scope, an unusual technique you want to use, or a finding that doesn't fit neatly into this policy — email us before testing. We respond within 48 hours.
Section 11

Contact

Email
security@frogeye.ai
Subject Line Format

[VDP] Brief description

Response Time

Within 48 hours

PGP Key
frogeye.ai/security
Policy Page
frogeye.ai/security
Hall of Fame
frogeye.ai/security/hall-of-fame

For non-security inquiries (product questions, general feedback), please use the standard contact channels at frogeye.ai. The security@frogeye.ai address is monitored by the security team and is reserved for vulnerability reports and security-related inquiries only.

This policy was last reviewed on May 1, 2026. We review and update this policy annually or when significant changes to our product scope or legal environment warrant an update.