Syncro software plays a foundational role in our partners’ businesses. Understanding this, we take our responsibility for delivering a secure and reliable product very seriously. Here are the safeguards we have in place and the commitments we make to our partners.
When it comes to the security of Syncro systems, we strive to adhere to industry standards including:
- Security incident response
- Network and application security
- Multi-factor authentication
- Phishing and fraud prevention
- Security awareness training
- Informational security
- Vulnerability disclosure
Syncro aims for a highly available system by using load balancing, primary / follower database architecture, and horizontal scaling.
The data in your Syncro account is replicated across multiple database servers to prevent a single failure from causing data loss. Additionally, that data is backed up regularly and stored in a secure offsite location to ensure that, even in the event of a catastrophe like a tornado or flood, your information will be safe and your records can be quickly restored.
You’re entitled to your data! Syncro makes it simple to make CSV exports at any time, and we can even automate downloads of your data so you never have to worry about data loss.
If you have any security concerns or questions, contact us at firstname.lastname@example.org.
Responsible disclosure policy
Syncro fully understands its responsibility to protect our systems and any of your data that we hold. We’re committed to having real dialog with the security community and engaging to improve things where needed. Responsible disclosure of security vulnerabilities helps ensure the privacy and security of all our users.
- Send an email to email@example.com if you find a potential vulnerability in our product or to discuss any security concerns.
- We aim to acknowledge and triage messages within 24 hours (1 business day) from submission.
- Syncro will define the severity of the potential exploit based on its impact and reach. It can take some time to validate findings, as sometimes things have reach that isn’t obvious at first glance.
- We’ll triage and fix the exploit on a timeline based on the severity of the issue and our policy.
- We aim to fix all high priority security vulnerabilities within 45 days.
- We aim to disclose vulnerabilities or breaches within 90 days.
Best practices for reporting
Email firstname.lastname@example.org with enough information that we can dig in and validate the issue.
A description is always helpful. Try to explain the impact as well because sometimes we can’t tell how the report could be exploited. More details are better. A demonstration video (unlisted on Youtube is fine) goes a long way!
Products and domains in scope
- The Syncro Windows agent
- The Syncro Mac agent
- Remote code execution (RCE)
- SQL/XXE injection and command injection
- Cross-site scripting (XSS)
- Server-side request forgery (SSRF)
- Access, Authentication, and authorization related issues
- Cross-site request forgeries (CSRF)
- Host header and banner grabbing issues
- Automated tool scan reports e.g., web, SSL/TLS scan, Nmap scan results
- Missing HTTP security headers and cookie flags on insensitive cookies
- Rate limiting, brute force attack
- Login/logout CSRF
- Session timeout
- Unrestricted file upload
- Open redirections
- Vulnerabilities that require physical access to the victim machine
- User enumeration such as user email, user ID, etc.
- Phishing or spam (including issues related to SPF, DKIM, and DMARC)
- Vulnerabilities found in third-party services
- EXIF data not stripped on images
Found a vulnerability?
Email email@example.com if you think you’ve found something.