Syncro fully understands that it’s our responsibility to protect our systems and your data that we hold. We are committed to having real human dialog with the security community and engaging to improve things where needed. Responsible disclosure of security vulnerabilities helps ensure privacy and security of all our users.
- Send an email to firstname.lastname@example.org if you find any potential vulnerability in our products. (See below policy)
- We try to acknowledge and triage within 24 hours (business days) from submission.
- Syncro will define the severity based on impact/reach of exploit.
- It can take some time to validate findings, as sometimes things have reach that isn’t obvious at first glance.
- We will triage/fix based on a timeline that comes from the severity of the issue and our policy.
- Please use the email@example.com email address when communicating with us about security issues.
- Documenting or publishing the vulnerability details in public domain is against our responsible disclosure policy.
How to Report
We need enough information to dig in and validate the issue.
- A description is always helpful, and try to explain the impact because sometimes we can’t tell how the report could even be exploited. More details are better.
- A video (unlisted youtube is fine) to demonstrate goes a long way!
Products/Domains in Scope
- The SyncroMSP Windows Agent/interfacing with Windows or our cloud
- Remote code execution (RCE)
- SQL/XXE Injection and command injection
- Cross-Site Scripting (XSS)