Please report security vulnerabilities to: security@frame.dev

We will respond within 48 hours and provide updates as we investigate.

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

• All AI processing runs in your browser (TensorFlow.js, Transformers.js)
• No data leaves your device unless you configure a backend
• Camera feeds are never transmitted by default

• IndexedDB for local storage (encrypted at rest by browser)
• Optional cloud sync uses HTTPS/WSS only
• No third-party analytics or tracking

• Passwords hashed with scrypt (N=16384, r=8, p=1)
• Session tokens generated with crypto.randomBytes (32 bytes)
• JWT tokens with configurable expiration
• Rate limiting on auth endpoints

• All backend connections require HTTPS/WSS
• CORS configured for specific origins only
• WebSocket connections authenticated

1. Keep dependencies updated - Run npm audit regularly
2. Use HTTPS - Never deploy backend without TLS
3. Restrict CORS - Only allow your frontend origin
4. Monitor logs - Check for unusual access patterns
5. Backup data - Export IndexedDB data periodically

• Browser storage is limited (~50MB IndexedDB per origin)
• Service Worker requires HTTPS (except localhost)
• WebRTC camera access requires user permission each session

We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities.