diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..e70b764
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "frontier-evals"]
+	path = frontier-evals
+	url = https://github.com/openai/frontier-evals.git
diff --git a/README.md b/README.md
index c807172..d240d03 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@
 
 <a href="#how-it-works"><b><u>How it works</u></b></a> | <a href="#security"><b><u>Security</u></b></a> | <a href="#key-services"><b><u>Key services</u></b></a> | <a href="#repo-layout"><b><u>Repo layout</u></b></a> | <a href="#quickstart-local-dev"><b><u>Quickstart (local dev)</u></b></a>
 
-This repository contains a companion interface to the `evmbench` detect evaluation ([code](https://github.com/openai/frontier-evals)).
+This repository contains a companion interface to the `evmbench` detect evaluation ([code](https://github.com/openai/frontier-evals)). For reference, we include the evaluation code as a pinned submodule at `frontier-evals/`.
 
 Upload contract source code, select an agent, and receive a structured vulnerability report rendered in the UI.
 
@@ -95,6 +95,7 @@ Operational note: worker runtime is bounded by default; override the max audit r
 ├── SECURITY.md
 ├── LICENSE
 ├── frontend/                 Next.js UI (upload zip, select model, view results)
+├── frontier-evals/           Pinned upstream reference (git submodule)
 ├── backend/
 │   ├── api/                  Main FastAPI API (jobs, auth, integration)
 │   ├── instancer/            RabbitMQ consumer; starts workers (Docker/K8s)
diff --git a/frontier-evals b/frontier-evals
new file mode 160000
index 0000000..e4d27fe
--- /dev/null
+++ b/frontier-evals
@@ -0,0 +1 @@
+Subproject commit e4d27fe304be2bf7e8088ee45895b42bd4abea77