Skip to main content

Franke Vulnerability Disclosure Policy

Franke is committed to ensuring the security of its connected products and mobile applications that interact with online services. This policy provides clear guidelines for anyone who conducts vulnerability discovery activities and identifies any vulnerabilities, as well as a process for reporting such vulnerabilities to Franke.

We recommend reading this vulnerability disclosure policy fully before you report a vulnerability and always acting in compliance with it. We value those who take the time and effort to report security vulnerabilities according to this policy. However, we do not offer monetary rewards for vulnerability disclosures.

Reporting a Vulnerability:

If you believe you have found a security vulnerability related to Franke App or connected products, please submit your report to us using the following email:

security@franke.com

In your report please include details of:

1 - Affected product:

  • product type (app or appliance)
  • product model
  • version of product if available

2- Description of the Vulnerability:

  • a summary of the vulnerability
  • add any helpful supporting files (e.g. screenshot or video) if available
  • add any mitigations or recommendations

3- Steps to reproduce:

  • Clear and descriptive steps to reproduce the vulnerability.
  • information necessary to reproduce the issue (environmental conditions)
  • estimated impact of the vulnerability
  • proof of concept code, exploit code (if any or applicable), network traces, other resources demonstrating the vulnerability or how-to exploit the vulnerability (replicability).

Note: If a large amount of data needs to be submitted, please get in touch with us, and we’ll arrange the proper way to exchange information

4- Public references (if any)

  • Please indicate if the vulnerability has already been publicly disclosed and by whom (provide us the reference).

Guidelines to follow:

To participate in Franke’s vulnerability disclosure program, participants must:

· Submit reports in English (we will discard non-English communication)

· Comply with all applicable laws.

· Adhere to this policy and other applicable agreements.

· Share details of the security issue with Franke.

· Submit vulnerability reports or security concerns to the email address specified in this policy.

· Allow Franke a reasonable amount of time to analyze and/or resolve the issue before publicly disclosing it.

· Not access or modify Franke’s or users’ data without explicit permission from the owner and immediately contact Franke if accidental user data access occurs.

· Avoid privacy violations, placing backdoors, data destruction, and disruption or degradation of our services (including denial-of-service attacks). Avoid the use high-intensity invasive or destructive scanning tools to find vulnerabilities.

· Do not attempt to manipulate Franke employees or contractors for access or information.

· Focus on verifiable vulnerabilities that pose a risk. General configuration issues like TLS cyphers, email spam, volumetric attacks, missing web security headers or “best practices” alone are not considered unless they are part of an exploitable condition.

· Securely delete all data retrieved during your research as soon as it is no longer required or within 1 month of the vulnerability being resolved, whichever occurs first (or as otherwise required by data protection law).

· Not exfiltrate data.

· Not engage in extortion.

What to expect from our revision process:

When Franke receives a vulnerability report, we acknowledge its receipt within 10 business days and provide an estimated timeline for resolution. Franke aims to fix all valid vulnerabilities within 90 working days of reporting, although more time may be needed for complicated fixes.

We’ll also aim to keep you informed of our progress. Priority for remediation is assessed by looking at the impact, severity, and exploit complexity. We will notify you when the reported vulnerability is remediated, and you may be invited to confirm that the solution covers the vulnerability adequately. We will publish a security advisory or technical note to inform users and the community.

Remember that reporting can be done totally anonymously, we do not need any personal data of the reporter.

Additional considerations:

· We strongly recommend S/MIME encryption in your initial email communication.

This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the Organization or partner organizations to be in breach of any legal obligations.