The principle
Ferret has to read your code to hunt bugs in it. That is a serious responsibility, so we treat your source as the most sensitive thing we touch. It runs in isolation, it is never used to train models, and it is removed when the hunt is done.
If you find a security issue, tell us at security@ferretlabsai.com. We read those fast and we do not punish people for reporting in good faith.
Isolated sandboxes
Each analysis runs in a per-repository sandbox that is isolated from every other customer and destroyed after the hunt completes. Your code is held only for the duration of analysis, never longer.
Sandboxes have no outbound network access to arbitrary destinations. They can read the repository under analysis and nothing else.
Never trained on your code
We do not use your source code, tests, or the fixes Ferret writes to train machine learning models, and we never share your code with third parties for their own purposes. Your repositories are analyzed, not absorbed.
Self-host and air-gap
On the Enterprise plan, the entire hunt runs inside your own network. Your code never crosses your boundary, and you keep full control of where analysis happens. This is the right fit for teams where source cannot leave the building.
Encryption and access
Data is encrypted in transit with TLS and at rest. Internal access to systems is scoped to the minimum needed to operate the service, protected by SSO and multi-factor authentication, and administrative actions are logged.
Enterprise adds SSO, SCIM provisioning, role-based access control, and exportable audit logs.
Responsible disclosure
Report vulnerabilities to security@ferretlabsai.com. Please give us a reasonable window to investigate and fix before any public disclosure. We will keep you updated on our progress and credit you if you would like.
Do not run tests that could degrade service for other customers, access data that is not yours, or exfiltrate data. Good-faith research within these bounds is welcome.
Compliance
We are happy to walk security teams through our practices, subprocessors, and data flows during evaluation. Enterprise agreements include a Data Processing Addendum and a security review. Reach out and we will share the current documentation.
Questions? Reach us at hello@ferretlabsai.com. This document is written to be read, not to be survived.