Back to Home

Security at Bullfrog

Security isn't just what we do, it's who we are. As a security company protecting your CI/CD pipelines, we hold ourselves to the highest standards of data protection, infrastructure security, and operational excellence.

Our Security Principles

Defense in Depth

Multiple layers of security controls ensure that no single point of failure can compromise your data.

Full Transparency

Our agent code is fully open source, allowing you to verify exactly what runs in your infrastructure.

Zero Trust Architecture

Every request is authenticated and authorized, we never assume trust based on network location.

Open Source Agent

Complete Transparency: The agent that runs in your GitHub Actions runners is fully open source and available for inspection on Github.

  • Audit the code: Review every line of code that executes in your infrastructure
  • Build verification: Compare published binaries against source code using reproducible builds
  • Community security: Benefit from community security reviews and contributions
  • No hidden behavior: What you see in the repository is exactly what runs in your workflows

This transparency ensures you can verify that our agent only monitors egress connections and enforces your security policies. Nothing more, nothing less.

Data Encryption

Encryption at Rest

All data stored in our databases and storage systems is encrypted using industry-standard AES-256 encryption. This includes workflow metadata, connection logs, and user account information.

Encryption in Transit

All data transmitted between your infrastructure and our services is encrypted using TLS 1.3 with strong cipher suites. We enforce HTTPS across all endpoints.

Double Encryption for Access Tokens

Your GitHub and other OAuth access tokens receive an additional layer of protection through application-level encryption before being stored in our encrypted database.

Infrastructure Security

Web Application Firewall (WAF)

Advanced threat protection in front of all platform services to defend against common web attacks and vulnerabilities.

NAT Gateway

All egress connections route through managed NAT gateways with static IPs for predictable network behavior and enhanced security.

IP Filtering

Database accessible only from application servers, never from public internet, providing an additional layer of protection.

Access Control & Authentication

Least Privilege Access

Every system component and team member has only the minimum permissions required to perform their function. We implement role-based access control (RBAC) for all internal systems, require multi-factor authentication (MFA) for all team members, use service accounts with minimal scoped permissions, and conduct regular access reviews and permission audits.

Input Validation & API Security

Schema Validation

All API requests are validated against strict JSON schemas to ensure data integrity and prevent malformed requests.

Type Checking & Sanitization

Strong type validation for all parameters and fields, combined with automatic sanitization of user inputs to prevent XSS and injection attacks.

Secure Development Lifecycle

Security Code Review

Every code change undergoes mandatory security review before deployment. Peer code reviews are required for all pull requests, with security-focused review for authentication, authorization, and data handling changes. Automated security scanning runs in our CI/CD pipeline, and no direct commits to main branches are allowed.

Automatic Vulnerability Patching

Dependabot automatically monitors our dependencies for known vulnerabilities and creates pull requests to update affected packages, ensuring we stay protected against emerging threats.

Hardened Container Images

Our services run on hardened Alpine-based container images to minimize the attack surface, reducing potential vulnerabilities from unnecessary packages and libraries.

Drinking Our Own Champagne

We use Bullfrog internally to protect our own GitHub Actions workflows, allowing only authorized egress connections and monitoring for any anomalies. This ensures we experience our product the same way our customers do.

Responsible Disclosure

We welcome security researchers and encourage responsible disclosure of any security vulnerabilities you may discover.

Report Security Issues:

Email us at security@bullfrogsec.com

We commit to:

  • Respond to your report within 24 hours
  • Keep you informed of our progress throughout the investigation
  • Credit you for the discovery (if desired) once the issue is resolved
  • Not pursue legal action for good-faith security research

Questions About Our Security?

We're happy to answer questions about our security practices, architecture, or controls.

Security inquiries: security@bullfrogsec.com

General contact: contact@bullfrogsec.com