We care about security. If you've found a vulnerability in Frugal, we want to hear about it. We welcome responsible disclosure and will work with you to understand and fix issues quickly.
If you follow these guidelines, we consider your research authorized:
Act in good faith
Only test systems in scope
Avoid accessing or modifying user data
Don't degrade or disrupt services
Don't publicly disclose before we've had a reasonable opportunity to fix the issue
If something goes wrong (it happens), stop and let us know right away.
Please Don't
Exfiltrate or access customer data
Run automated scanners that create excessive load
Attempt privilege escalation beyond proof of concept
Chain vulnerabilities for deeper exploitation
Use findings for anything other than reporting
Handling of Reports
All reports are logged and tracked through our vulnerability management process, prioritized based on risk and impact, and remediated according to our internal SLAs.
Disclosure
We follow a responsible disclosure approach: fix first, then disclose. We're happy to coordinate timing with you.
Recognition
We don't run a bug bounty, but we appreciate every solid report and are happy to offer public credit if you want it.
Questions?
Not sure if something is a vulnerability? Send it anyway or ask first. We'd rather see it than miss it.