FranConnect Vulnerability Disclosure Policy
Updated on Jan 06, 2020 V1.0
FranConnect, LLC (FranConnect) places a high priority on maintaining the security, privacy and integrity of our products. We are committed in creating a safe, transparent environment in which to report vulnerabilities.
Guidelines for responsible disclosure:
- Share the security issue with us before making it public to peers, on message boards, mailing lists, and other forums.
- Allow us reasonable time to respond to the issue before disclosing it publicly. FranConnect’s TAT for closure is 20 business days.
- Provide full details of the security issue and be open to describing how you found it so we may work on the source/root cause or reproduce the conditions.
Do not engage in security research that involves:
- Potential or actual denial of service of FranConnect applications and systems.
- Use of an exploit to view data without authorization, or corruption of data.
- Requests for direct compensation for the reporting of security issues either to FranConnect or through any external marketplace for vulnerabilities, whether black-market or otherwise.
Reporting security vulnerabilities:
If you have found a security vulnerability or have a security incident to report that could impact FranConnect or our users, we encourage you to report this right away via e-mail to firstname.lastname@example.org. FranConnect will investigate all legitimate reports and fix the problem as soon as possible. Please be sure to include an e-mail address where we can reach you, in case we need more information.
Once we have received a vulnerability e-mail, FranConnect takes a series of steps to address the issue:
- FranConnect requests the reporter keep any communication regarding the vulnerability confidential.
- FranConnect investigates and verifies the vulnerability.
- FranConnect addresses the vulnerability and releases an update or patch to the software. If for some reason this cannot be done quickly or at all, FranConnect will provide information on recommended mitigations.
- FranConnect publicly announces the vulnerability in the release notes of the update. FranConnect may also issue additional public announcements, for example via social media, our blog, and media.
- Release notes (and blog posts when issued) include a reference to the person/people who reported the vulnerability, unless the reporter(s) would prefer to stay anonymous.
- FranConnect will endeavor to keep the reporter apprised of every step in this process as it occurs.
- We greatly appreciate the efforts of security researchers and discoverers who share information on security issues with us, giving us a chance to improve our products and services, and better protect our customers. Thank you for working with us through the above process.