FrootAI — AmpliFAI your AI Ecosystem Get Started

Responsible Disclosure Policy

We take security seriously. If you've found a vulnerability in FrootAI, we want to hear from you — and we'll treat you with respect.

Scope

In Scope

  • studio.frootai.dev (FrootAI Studio)
  • engine.frootai.dev (FrootAI Cloud Engine API)
  • registry.frootai.dev (Plugin Registry)
  • *.frootai.dev subdomains
  • FrootAI npm packages (@frootai/*)
  • FrootAI Python packages (frootai-*)
  • FrootAI GitHub repositories (github.com/frootai/*)
  • FAI Protocol specification and reference implementations

Out of Scope

  • frootai.dev static marketing pages (low risk, no user data)
  • Third-party services we use (report to them directly)
  • Social engineering attacks against FrootAI employees
  • Physical security of FrootAI offices
  • Denial of service (DoS/DDoS) attacks

How to Report

Email [email protected] with:

  1. Description of the vulnerability
  2. Steps to reproduce (as detailed as possible)
  3. Impact assessment (what could an attacker do?)
  4. Affected URL / component
  5. Screenshots or proof-of-concept (if available)
  6. Your name / handle (for Hall of Fame credit — optional)

Encrypt sensitive reports using our PGP key at frootai.dev/.well-known/pgp-key.asc. Fingerprint will be published on our security page.

Our Response Commitment

Acknowledge receipt
Within 48 hours
Triage & severity assessment
Within 7 days
Remediate Critical
Within 14 days
Remediate High
Within 30 days
Remediate Medium/Low
Within 90 days
Public disclosure (coordinated)
After fix deployed + 14-day grace

Safe Harbor

We will not take legal action against security researchers who:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
  • Only interact with accounts they own or with explicit permission of the account holder
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it
  • Report the vulnerability to us before disclosing it publicly
  • Give us reasonable time to remediate before public disclosure

We consider security research conducted in accordance with this policy to be authorized, and we will not pursue legal action. If legal action is initiated by a third party, we will take steps to make it known that your actions were conducted in compliance with this policy.

What We Ask

  • Do not access, modify, or delete data belonging to other users
  • Do not perform actions that could degrade service for other users
  • Do not use automated scanning tools against production services without coordination
  • Do not publicly disclose the vulnerability before we've had a chance to fix it
  • Provide enough detail for us to reproduce and fix the issue

Severity Classification

CriticalRemote code execution, authentication bypass, data breach, SQL injection
HighPrivilege escalation, stored XSS, IDOR with sensitive data access, SSRF
MediumReflected XSS, CSRF, information disclosure (non-sensitive), misconfiguration
LowMissing security headers, verbose error messages, clickjacking on non-sensitive pages

Hall of Fame

We publicly acknowledge security researchers who help us improve FrootAI's security. With your permission, we'll add your name (or handle) here.

No reports yet — be the first to help us improve!

Note: We do not currently offer monetary bounties. We recognize researchers with public credit, FrootAI swag, and a heartfelt thank-you.

Contact

Email: [email protected]

PGP Key: frootai.dev/.well-known/pgp-key.asc

security.txt: frootai.dev/.well-known/security.txt

Preferred Languages: English, German