Vulnerability Disclosure Policy
We care about security. If you've found a vulnerability in Frugal, we want to hear about it. We welcome responsible disclosure and will work with you to understand and fix issues quickly.

Scope

In scope
  • *.frugal.co
  • Frugal web application
  • Public APIs operated by Frugal
  • Frugal open source repositories (github.com/frugalco)
Out of scope
  • Third-party services not controlled by Frugal
  • Social engineering or phishing
  • Physical attacks
  • Denial of service (DoS/DDoS)
  • Automated scanning that impacts system performance
  • Testing against customer tenant environments or customer data
  • Spam or low-signal reports
If you're unsure whether something is in scope, just ask.

How to Report

Send your report to:
infosec@frugal.co
Helpful reports usually include:
  • What you found and why it matters
  • Clear steps to reproduce
  • Screenshots, code, or proof of concept
  • Any assumptions or limitations

Our Commitment

When you report a valid issue, we will:
  • Acknowledge within 72 hours
  • Triage and validate quickly
  • Keep you in the loop on progress
  • Fix issues based on severity
  • Let you know when it's resolved

Safe Harbor

If you follow these guidelines, we consider your research authorized:
  • Act in good faith
  • Only test systems in scope
  • Only test systems in scope
  • Don't degrade or disrupt services
  • Don't publicly disclose before we've had a reasonable opportunity to fix the issue
If something goes wrong (it happens), stop and let us know right away.

Please Don't

  • Exfiltrate or access customer data
  • Run automated scanners that create excessive load
  • Attempt privilege escalation beyond proof of concept
  • Chain vulnerabilities for deeper exploitation
  • Use findings for anything other than reporting

Handling of Reports

All reports are logged and tracked through our vulnerability management process, prioritized based on risk and impact, and remediated according to our internal SLAs.

Disclosure

We follow a responsible disclosure approach: fix first, then disclose. We're happy to coordinate timing with you.

Questions?

Not sure if something is a vulnerability? Send it anyway or ask first. We'd rather see it than miss it.
infosec@frugal.co
Last updated: April 2026
black blocks image

See how Frugal works

A 30-minute walkthrough of code analysis, cost insights, and AI-generated fixes.

Take Frugal for a live test drive

Explore how Frugal scans your code and cloud services to find waste, recommend optimizations, and generate ready-to-use fixes in a secure, read-only environment.