Vulnerability Disclosure
Security is paramount. We welcome collaboration with the infosec community.
1. Safe Harbor / Legal Posture
EmptyFrog supports the work of independent security researchers. If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized. We will work with you to understand and resolve the issue quickly, and EmptyFrog will not initiate or recommend legal action related to your research.
2. Scope & Boundaries
The following targets are IN SCOPE:
- `*.emptyfrog.io`
- `platform.emptyfrog.io`
- EmptyFrog REST API (`api.emptyfrog.io`)
Out of Scope & Strictly Prohibited:
- Social Engineering (phishing, vishing, etc.) affecting our employees or customers.
- Physical attacks against our facilities.
- Destructive testing, DoS (Denial of Service), or DDoS attacks.
- Interacting with other users' accounts or data without explicit permission.
3. Reporting Guidelines
If you believe you have found a security vulnerability in one of our platforms, please submit your findings to:
security@emptyfrog.io
Please provide a detailed description of the issue, including steps to reproduce the vulnerability (Proof-of-Concept) and the potential impact. Our triage timeline is typically within 48 hours for critical severity reports.
4. Bug Bounty
EmptyFrog maintains a private Bug Bounty program. Meaningful vulnerability reports that are validated by our internal security team may be awarded monetary bounties at our discretion, based on severity and exploitation impact.