Responsible Disclosure



Syncro fully understands that it’s our responsibility to protect our systems and your data that we hold. We are committed to having real human dialog with the security community and engaging to improve things where needed. Responsible disclosure of security vulnerabilities helps ensure privacy and security of all our users.

  • Send an email to if you find any potential vulnerability in our products. (See below policy)
  • We try to acknowledge and triage within 24 hours (business days) from submission.
  • Syncro will define the severity based on impact/reach of exploit.
  • It can take some time to validate findings, as sometimes things have reach that isn’t obvious at first glance.
  • We will triage/fix based on a timeline that comes from the severity of the issue and our policy.
  • Please use the email address when communicating with us about security issues.
  • Documenting or publishing the vulnerability details in public domain is against our responsible disclosure policy.


How to Report

We need enough information to dig in and validate the issue.

  • A description is always helpful, and try to explain the impact because sometimes we can’t tell how the report could even be exploited. More details are better.
  • A video (unlisted youtube is fine) to demonstrate goes a long way!


Products/Domains in Scope

  • (your_account)(*)
  • *
  • The SyncroMSP Windows Agent/interfacing with Windows or our cloud


Qualifying Bugs

  • Remote code execution (RCE)                                                  
  • SQL/XXE Injection and command injection
  • Cross-Site Scripting (XSS)
  • Server side request forgery (SSRF)
  • Misconfiguration issues on servers and application
  • Authentication and Authorization related issues
  • Cross site request forgeries (CSRF)

Non-Qualifying Bugs

  • Html injection and Self-XSS
  • Host header and banner grabbing issues
  • Automated tool scan reports.Example: Web, SSL/TLS scan,Nmap scan results etc.,
  • Missing HTTP security headers and cookie flags on insensitive cookies
  • Rate limiting, brute force attack
  • Login/logout CSRF
  • Session timeout
  • Unrestricted file upload
  • Open redirections
  • Formula/CSV Injection
  • Vulnerabilities that require physical access to the victim machine.
  • User enumeration such as User email, User ID etc.,
  • Phishing / Spam (including issues related to SPF/DKIM/DMARC)
  • Vulnerabilities found in third party services
  • EXIF data not stripped on images


Found a Bug?

Email if you think you’ve found something.