Responsible disclosure

Public-Facing Responsible Vulnerability Disclosure Policy.

Franklin Access values the work of independent security researchers and the broader security community. This policy explains how to report potential vulnerabilities responsibly and what researchers can expect from Franklin Access during the review process.

Scope

Systems Covered by This Policy.

This policy applies to publicly accessible systems, applications, services, and cloud resources owned, operated, or controlled by Franklin Access, particularly those exposed through AWS-hosted environments.

Web Applications and APIs

Public-facing web properties, endpoints, and application interfaces operated by Franklin Access.

Mobile Applications

Covered mobile apps include Quvo and Pintrac for Android and iOS.

Cloud Infrastructure

Internet-exposed cloud resources and other public systems directly operated by Franklin Access.

Out of scope

Testing Activities That Are Not Authorized.

Researchers should avoid testing that could harm people, disrupt services, affect third parties, or expose private data.

Physical attacks against employees, offices, or data centers.
Social engineering, including phishing, vishing, or smishing.
Denial-of-service or distributed denial-of-service testing.
Attacks on third-party systems not directly controlled by Franklin Access.
Testing internal, staging, development, or test systems.
Outdated browser or plugin issues, self-XSS, or low-risk banner disclosures.
Brute-force user enumeration where rate limiting is in place.
Public information or unlikely interaction issues that do not create a real security risk.

How to report

Send Enough Detail for Franklin Access to Validate the Issue.

Reports should be sent to the dedicated reporting channel and include the information needed to understand, reproduce, and evaluate the potential impact.

01

Describe the Vulnerability

Explain what you found and the potential impact.

02

Include Reproduction Steps

Provide clear, step-by-step instructions and affected URLs, endpoints, or components.

03

Add Supporting Evidence

Include a proof of concept, screenshots, or video where useful.

04

Share Credit Details

Optionally include your name or handle if you would like recognition.

Our commitment

What Researchers Can Expect from Franklin Access.

Franklin Access will acknowledge reports within three business days, investigate promptly, communicate about status and questions, and work to remediate confirmed vulnerabilities based on severity and complexity.

When appropriate, Franklin Access will collaborate on public disclosure after a fix is in place and will not pursue legal action against individuals who act in good faith, comply with this policy, and avoid disruption or harm.

Researcher expectations

Guidelines for Responsible Disclosure.

Researchers are expected to act ethically, comply with applicable laws, avoid service interruption, avoid accessing or modifying user data, and wait for mutually agreed disclosure before making vulnerability details public.

Only access the minimum data necessary to demonstrate a valid issue, and do not attempt to exploit personal accounts or private information.

Recognition

Thank You for Helping Keep Franklin Access Secure.

Franklin Access appreciates responsible vulnerability disclosures. Reports that lead to a confirmed and resolved security vulnerability may be eligible for public acknowledgement on a Security Researchers Hall of Fame page, with the researcher's permission.

Legal Notice

This policy is intended to encourage responsible vulnerability reporting. Franklin Access reserves the right to take appropriate action when activity falls outside the policy or causes harm, disruption, unauthorized access, or other risk.

Report vulnerabilities cs@franklinaccess.com
Email a report