Security & privacy is at the heart of everything FrankieOne does. We’re committed to protecting Frankie One’s proprietary or confidential information and data (including customer’s data), which is why we appreciate the work of the security researchers. With your permission, we will include you in our public Recognitions list which is published as part of our Responsible disclosure program, however we do not compensate individuals or organisations for identifying potential or confirmed security vulnerabilities.
FrankieOne will review all reports that are disclosed to us and we will do our best to address each potential security vulnerability in a timely fashion. We do ask that security researchers maintain confidentiality and provide us with a reasonable timeframe to address the potential security vulnerability before public disclosure.
FrankieOne will not take legal action against security researchers in relation to the discovery and reporting of a potential security vulnerability, provided that the reporting and disclosure is in accordance with this Responsible Disclosure Program.
What is strictly prohibited
- DoS/DDoS or overloading with many requests or large requests
- Download more data than necessary to demonstrate a vulnerability
- Abusing our services to conduct fraud
- Access, delete, copy, modify, exfiltrate, disclose or use of FrankieOne’s proprietary or confidential information or data (including customer’s data)
- Any activity or attempt to gain unauthorised access
- Weak or insecure ciphers and certificates
- Sending unsolicited or unauthorised email or other type of message
- Conducting social engineering (like phishing) against FrankieOne’s employees, customers, partners or any other party
- Use of malware for the research
- Any physical attempts against FrankieOne’s property
- Take advantage of any weakness with FrankieOne’s product, systems or infrastructure
In the context of this Responsible Disclosure Program, we consider security vulnerability to be a weakness in Frankie One’s products, systems or infrastructure that could allow an attacker to impact their confidentiality, integrity, or availability.
Once you have reported the potential security vulnerability to us, we will send you an e-mail confirming we have received your submission. We will also notify you when a valid security vulnerability reported to us has been addressed.
We will validate the potential security vulnerability and reserve the right to categorise it as not a valid security vulnerability for FrankieOne but rather a best practice or a recommendation, e.g. auto-complete enabled or disabled or presence or absence of HTTP headers.
If we find that the reported potential security vulnerability is a duplicate or already known to us, the report will not be eligible for public recognition.
We are unable to respond to bulk reports including those generated by automated scanners. If a potential vulnerability is identified using an automated scanner, it is recommended that a security practitioner validates the finding before submitting a report to us.
Please do not use this disclosure program to report scam attempts and refer to Frankie’s advice on How to protect yourself from scams - Frankie
What to include in the report:
Please include as much information as possible including the following:
- An explanation of the potential security vulnerability;
- A list of affected products including affected URLs
- Steps to reproduce the vulnerability
- Proof-of-concept code (where possible)
- The names of any test accounts you have created (where applicable); and
- Your name and contact information (unless you wish to stay anonymous or use a pseudonym)
- Type of issue (cross-site scripting, SQL injection, remote code execution, etc.)
- The potential impact of the vulnerability (i.e. what data can be accessed or modified)
- Date, time and time zone of when the suspected vulnerability was discovered
- IP address used when suspected vulnerability was discovered
How to report a potential vulnerability
You can responsibly report and disclose a potential vulnerability by sending an email to firstname.lastname@example.org
If you feel the email should be encrypted, or contains confidential information, our PGP key can be found here.