Responsible Disclosure
Security is foundational to Freeplay’s mission of helping teams build great AI products. If you discover a vulnerability, please let us know so we can fix it quickly and keep every customer’s data safe. We offer monetary rewards for high and critical-severity findings.
How to report
Email us: Send details to security@freeplay.ai. We’ll acknowledge your report within 2 business days.
Share the evidence: Provide a clear description, reproduction steps, and any proof-of-concept code or screenshots.
Give us time to remediate: For critical issues our target is to deploy a fix within one week; please hold off on public disclosure until we confirm the patch.
Research guidelines
Do no harm. Don’t disrupt service, destroy data, or access anything beyond what’s needed to demonstrate the issue.
Stay in scope. Limit testing to assets you control or have explicit permission to probe.
Respect privacy. Never exfiltrate customer data.
Avoid prohibited techniques. No DDoS, spam, social-engineering, phishing, or brute-force attacks.
Our commitment to you
What you can expect | Our promise |
Timely updates | We’ll keep you informed of progress, typically every 5 business days until resolution. |
Fair rewards | We pay bounty amounts based on severity and real-world impact. |
Safe harbor | We won’t pursue legal action if you follow these guidelines and act in good faith. |
Why security researchers matter
Freeplay is already SOC 2 Type II and GDPR compliant, and we run isolated, single-tenant deployments for enterprise customers. Your research helps us raise the bar even higher.
Thank you for helping us protect the Freeplay platform and the teams who rely on it. If anything here is unclear, just email security@freeplay.ai. We’re happy to chat.
Legal and Compliance notes
Payments are subject to compliance review and may be withheld if restricted by our payment processors or applicable laws. We welcome security vulnerability reports from anywhere in the world, except from individuals who are located in, are nationals of, or work for a company incorporated in a country or region that is subject to comprehensive U.S. sanctions. This includes (as of August 2025) Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk, and Luhansk regions of Ukraine. We also cannot make payments to individuals on any U.S. sanctions list.