Vulnerability Disclosure Policy

Security & Compliance  —  Last Updated: June 5, 2026

Xfinion, Inc. (“Xfinion,” “we,” “us,” or “our”) is committed to protecting the security of our systems and the data entrusted to us by our customers. We welcome the assistance of security researchers and the broader security community in identifying vulnerabilities so that we can address them promptly. This Vulnerability Disclosure Policy (“Policy”) describes how to report security vulnerabilities to us and what you can expect from us in return.

Scope

This Policy applies to security vulnerabilities discovered in the following Xfinion-operated systems and services:

  • The CARTN software-as-a-service platform and associated APIs (cartn.io and related subdomains)
  • The Xfinion public-facing website (xfinion.com and related subdomains)
  • Any Xfinion-owned infrastructure directly supporting the above services

If you are unsure whether a system is in scope, err on the side of caution and contact us before proceeding. We will clarify scope and, if the system is not ours, direct you to the appropriate party.

Out-of-Scope Activities

The following activities are explicitly outside the scope of this Policy. Engaging in these activities may expose you to legal liability, and Xfinion will not extend safe-harbor protections to conduct that falls outside this Policy:

  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
  • Physical attacks against Xfinion facilities, personnel, or equipment
  • Social engineering, phishing, or vishing of Xfinion employees or contractors
  • Automated vulnerability scanning that generates significant traffic or degrades service availability
  • Accessing, downloading, modifying, or deleting customer data beyond what is minimally necessary to demonstrate the vulnerability
  • Attempting to access accounts, systems, or data that you are not personally authorized to access
  • Exploiting a vulnerability beyond the minimum necessary to confirm its existence
  • Vulnerabilities in third-party services, libraries, or products not controlled by Xfinion
  • Theoretical vulnerabilities or issues with no demonstrable security impact
  • Reports generated solely by automated scanning tools without manual verification or analysis

How to Report a Vulnerability

To report a security vulnerability, please send an email to:

Xfinion Security Team
Email: security@xfinion.com

If your report contains sensitive technical details or includes proof-of-concept code that could enable exploitation, we encourage you to note this in the subject line so we can handle the report with appropriate care. All reports are reviewed by our security team.

What to Include in Your Report

To help us triage and reproduce the issue as quickly as possible, please include the following in your report:

  • A clear description of the vulnerability and its potential security impact
  • The affected system, URL, endpoint, or component
  • Step-by-step instructions to reproduce the vulnerability
  • Any proof-of-concept code, screenshots, or screen recordings that demonstrate the issue (redact or avoid including actual customer data)
  • The version or environment where you observed the issue, if known
  • Your suggested remediation or mitigation, if you have one
  • Your contact information (name and email address) so we can follow up with you

You are not required to provide a suggested fix, but detailed reproduction steps are essential for timely triage.

Our Commitment to Researchers

When you submit a vulnerability report in accordance with this Policy, Xfinion commits to the following:

  • Initial acknowledgment: We will acknowledge receipt of your report within 3 business days of receiving it.
  • Triage and assessment: We will assess the reported vulnerability and provide you with an initial determination of its validity and severity as promptly as practicable, typically within 10 business days of acknowledgment.
  • Status updates: We will keep you informed of our remediation progress at reasonable intervals and notify you when the issue has been resolved.
  • Coordinated disclosure: We will work with you to agree on an appropriate public disclosure timeline. We ask that you allow us a reasonable period to investigate and remediate before any public disclosure.
  • Credit: With your permission, we will publicly acknowledge your contribution after the vulnerability has been resolved.

This Policy does not offer monetary compensation. Xfinion does not currently operate a bug bounty program.

Safe Harbor

Xfinion will not initiate or recommend legal action against security researchers who discover and report vulnerabilities in good faith and in compliance with this Policy. We consider security research conducted under this Policy to be authorized under the Computer Fraud and Abuse Act (CFAA) and other applicable laws, and we will not pursue civil or criminal legal action against you for such research.

To qualify for safe-harbor protection, your research must:

  • Comply with the scope and restrictions set out in this Policy;
  • Avoid unnecessary harm to Xfinion, its customers, or third parties;
  • Avoid accessing, retaining, sharing, or using customer or personal data beyond what is minimally necessary to demonstrate the vulnerability;
  • Be reported to Xfinion promptly and in full before any public disclosure or disclosure to third parties; and
  • Not be conducted for the purpose of financial extortion, competitive intelligence, or any other improper purpose.

If you are unsure whether your planned research activities fall within this Policy, contact us at security@xfinion.com before proceeding.

Coordinated Disclosure

Xfinion follows a coordinated vulnerability disclosure model. We ask that you:

  • Report the vulnerability to us before disclosing it publicly or to any third party;
  • Allow us a reasonable period—typically no less than 90 days from the date of our initial acknowledgment—to investigate, remediate, and communicate with affected parties before any public disclosure; and
  • Contact us if you believe a shorter timeline is warranted due to active exploitation or imminent public risk.

We will work collaboratively with you on disclosure timing and are committed to keeping you informed throughout the remediation process. If you wish to publish a blog post or presentation about your findings after resolution, we encourage you to share a draft with us so we can review it for accuracy and ensure no sensitive technical details remain that could facilitate exploitation.

Policy Updates

We may update this Policy from time to time to reflect changes in our practices, legal requirements, or the threat landscape. When we do, we will update the “Last Updated” date at the top of this page. We encourage you to review this Policy periodically.

Questions

If you have questions about this Policy or are unsure whether a particular activity is permitted, please contact our security team at security@xfinion.com before proceeding.