Web Applications and APIs
Public-facing web properties, endpoints, and application interfaces operated by Franklin Access.
Responsible disclosure
Franklin Access values the work of independent security researchers and the broader security community. This policy explains how to report potential vulnerabilities responsibly and what researchers can expect from Franklin Access during the review process.
Scope
This policy applies to publicly accessible systems, applications, services, and cloud resources owned, operated, or controlled by Franklin Access, particularly those exposed through AWS-hosted environments.
Public-facing web properties, endpoints, and application interfaces operated by Franklin Access.
Covered mobile apps include Quvo and Pintrac for Android and iOS.
Internet-exposed cloud resources and other public systems directly operated by Franklin Access.
Out of scope
Researchers should avoid testing that could harm people, disrupt services, affect third parties, or expose private data.
How to report
Reports should be sent to the dedicated reporting channel and include the information needed to understand, reproduce, and evaluate the potential impact.
Explain what you found and the potential impact.
Provide clear, step-by-step instructions and affected URLs, endpoints, or components.
Include a proof of concept, screenshots, or video where useful.
Optionally include your name or handle if you would like recognition.
Our commitment
Franklin Access will acknowledge reports within three business days, investigate promptly, communicate about status and questions, and work to remediate confirmed vulnerabilities based on severity and complexity.
When appropriate, Franklin Access will collaborate on public disclosure after a fix is in place and will not pursue legal action against individuals who act in good faith, comply with this policy, and avoid disruption or harm.
Researcher expectations
Researchers are expected to act ethically, comply with applicable laws, avoid service interruption, avoid accessing or modifying user data, and wait for mutually agreed disclosure before making vulnerability details public.
Only access the minimum data necessary to demonstrate a valid issue, and do not attempt to exploit personal accounts or private information.
Recognition
Franklin Access appreciates responsible vulnerability disclosures. Reports that lead to a confirmed and resolved security vulnerability may be eligible for public acknowledgement on a Security Researchers Hall of Fame page, with the researcher's permission.
This policy is intended to encourage responsible vulnerability reporting. Franklin Access reserves the right to take appropriate action when activity falls outside the policy or causes harm, disruption, unauthorized access, or other risk.