Skip to content Skip to footer
Franklin Access
Franklin Access
Close

Public-Facing Responsible Vulnerability Disclosure Policy

Introduction

The security of our systems and the data entrusted to us is paramount. We believe that a strong security posture is a collective effort, and we greatly value the contributions of independent security researchers and the broader security community. This Responsible Vulnerability Disclosure Policy outlines our guidelines for discovering and reporting security vulnerabilities in our products, services, and infrastructure.

We are committed to working with the security community to investigate and resolve legitimate security issues swiftly and responsibly.

1. Scope

This policy applies to all publicly accessible systems, applications, and services owned, operated, or controlled by Franklin Access, particularly those hosted on Amazon Web Services (AWS) Cloud. This includes, but is not limited to:

  • Web applications and APIs:
  • Mobile applications:
    • Quvo app for Android and iOS
    • Pintrac app for Android and iOS
  • Public-facing cloud infrastructure: Resources explicitly exposed to the internet.
  • Any other system or service directly operated by Franklin Access that are accessible from the public internet.

 Out of Scope: 

The following are explicitly out of scope for this policy and should not be tested:

  • Physical attacks against Franklin Access employees, offices, or data centers.
  • Social engineering (e.g., phishing, vishing, smishing) of Franklin Access employees or contractors.
  • Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attacks.
  • Attacks on third-party services or products not directly controlled by Franklin Access (unless the vulnerability directly impacts our services via a misconfiguration or specific integration).
  • Attacks against services or systems clearly marked as “internal,” “staging,” “development,” or “test.”
  • Vulnerabilities in outdated browser versions or plugins.
  • Missing security best practices that do not directly lead to an exploitable vulnerability (e.g., missing HTTP security headers that do not allow for content injection).
  • Descriptive error messages or banner disclosures that do not provide direct access to sensitive data or a direct attack vector.
  • Self-XSS (Cross-Site Scripting that requires the user to paste the payload into their own browser console).
  • Issues related to user enumeration through brute-forcing login pages or “Forgot Password” functionality that are sufficiently rate-limited.
  • Publicly accessible information that does not pose a security risk (e.g., public S3 buckets configured for public read access for legitimate purposes).
  • Vulnerabilities that require complex or unlikely user interaction to exploit.
2. How to Report a Vulnerability

If you believe you have discovered a security vulnerability in one of our systems, please report it to us as quickly as possible via the following dedicated channel:

Email: cs@franklinaccess.com

Please include the following information in your report to help us understand and reproduce the issue:

  • Clear description of the vulnerability: What is the vulnerability, and what is its potential impact?
  • Steps to reproduce: Detailed, step-by-step instructions on how to replicate the vulnerability.
  • Proof-of-concept (PoC): If applicable, a working example or code snippet demonstrating the vulnerability.
  • Affected assets/URLs: Specific URLs, endpoints, or system components that are vulnerable.
  • Screenshots or video: Visual evidence of the vulnerability (if applicable).
  • Your name/handle (optional): If you wish to be credited.
3. Our Commitment (What You Can Expect From Us)

Upon receiving your vulnerability report, we commit to the following:

  • Acknowledgement: We will acknowledge receipt of your report within 3 business days.
  • Investigation: Our security team will investigate your report promptly and thoroughly.
  • Communication: We will keep you updated on the status of your report, including any questions we may have or requests for further information.
  • Remediation: We will work diligently to validate and remediate confirmed vulnerabilities. The time to resolve will depend on the complexity and severity of the issue.
  • Transparency (with discretion): We will collaborate with you on public disclosure, if desired, after the vulnerability has been fixed. We prefer to remediate the issue before any public disclosure.
  • No Legal Action: We will not pursue legal action against individuals who discover and report vulnerabilities in good faith, in compliance with this policy, and without causing disruption or harm.
4. Guidelines for Responsible Disclosure (What We Expect From You)

To ensure a productive and secure disclosure process, we ask you to:

  • Act in Good Faith: Conduct your research ethically and responsibly.
  • Do Not Disclose Publicly Without Permission: Do not disclose any information about the vulnerability to the public or to any third party until we have acknowledged the report, investigated it, fixed the issue, and mutually agreed upon a disclosure plan (if any).
  • Do Not Interrupt Our Services: Avoid any testing or activities that could disrupt our services, compromise data integrity, or impact user experience.
  • Do Not Access or Modify Data: Do not access, modify, delete, or store any user data without explicit permission. Only access enough data to prove the vulnerability.
  • Avoid Privacy Violations: Do not attempt to access or exploit personal user accounts or data.
  • Comply with Laws: Adhere to all applicable laws and regulations.
5. Recognition and Hall of Fame

We are grateful for all responsible vulnerability disclosures. For reports that lead to a confirmed and resolved security vulnerability, we will gladly offer:

  • Public acknowledgement on our “Security Researchers Hall of Fame” page (with your permission).
  • A sincere thank you from our security team.
6. Legal Disclaimer

This policy is designed to encourage responsible vulnerability reporting. If you do not follow the guidelines set out in this policy, Franklin Access reserves the right to take appropriate legal action. We do not authorize any activities that are not in accordance with this policy.

Thank you for helping us keep Franklin Access secure!