{"id":75994,"date":"2025-09-02T14:41:18","date_gmt":"2025-09-02T18:41:18","guid":{"rendered":"https:\/\/syndigo.com\/?page_id=75994"},"modified":"2026-02-12T14:42:38","modified_gmt":"2026-02-12T19:42:38","slug":"responsible-disclosure-notice","status":"publish","type":"page","link":"https:\/\/syndigo.com\/de\/responsible-disclosure-notice\/","title":{"rendered":"Responsible Disclosure Notice"},"content":{"rendered":"\n
\n

Responsible Disclosure Notice<\/h1>\n<\/div><\/section>\n\n\n\n
\n

This page is for security researchers interested in reporting application security vulnerabilities.<\/h2>\n\n\n\n

If you have reported an issue determined to be within scope, is determined to be a valid security issue, and you have followed program guidelines, Syndigo will recognize your finding and you will be allowed to disclose the vulnerability after a fix has been issued. Please refer all questions to the provided Bugcrowd form below. Although Syndigo is unable to offer compensation for reported findings (confirmed or not), responsibly disclosing these vulnerabilities are appreciated and are utilized in advancing the security field.<\/p>\n\n\n\n

Typical vulnerabilities requiring responsible disclosure:<\/h2>\n\n\n\n
    \n
  • OWASP Top 10 vulnerability categories<\/li>\n\n\n\n
  • Other vulnerabilities with demonstrated impact<\/li>\n<\/ul>\n\n\n\n

    Program Guidelines:<\/strong><\/h2>\n\n\n\n
      \n
    • All forms of social engineering are strictly prohibited (phishing, vishing, smishing).<\/li>\n\n\n\n
    • Performing vulnerability scans against Syndigo and its assets is strictly prohibited.<\/li>\n\n\n\n
    • If user\/client\/vendor information is found in any form, do not verify them. Please inform us and we will validate them.<\/li>\n\n\n\n
    • Adhere to all legal terms and conditions outlined at Syndigo.com.<\/li>\n\n\n\n
    • Work directly with Syndigo on vulnerability submissions.<\/li>\n\n\n\n
    • Provide detailed description of a proof of concept to detail reproduction of vulnerabilities.<\/li>\n\n\n\n
    • Do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems.<\/li>\n\n\n\n
    • Do not engage in social engineering or phishing of customers or employees.<\/li>\n\n\n\n
    • Do not request compensation for time and materials or vulnerabilities discovered.<\/li>\n<\/ul>\n\n\n\n

      When submitting your vulnerability report, we request that the following are not submitted to us. We have numerous programs and tools internally that allow us to look for these categories of vulnerabilities and have likely already detected them, if present:<\/p>\n\n\n\n

        \n
      • Out-of-date software<\/li>\n\n\n\n
      • Theoretical vulnerabilities<\/li>\n\n\n\n
      • Informational disclosure of non-sensitive data<\/li>\n\n\n\n
      • Low impact session management issues<\/li>\n\n\n\n
      • Self XSS (user defined payload)<\/li>\n\n\n\n
      • Any attack requiring physical access to Syndigo offices, devices, servers, data centers, personnel, or any physical location.<\/li>\n\n\n\n
      • User enumeration through brute forcing techniques or enumeration which requires message confirmations generated by Syndigo services, (i.e. using the forgotten password option and receiving a “user does not exist message”).<\/li>\n\n\n\n
      • CSRF issues that don’t impact the integrity of an account.<\/li>\n\n\n\n
      • Non-sensitive files and directories disclosure (e.g. README.TXT, CHANGES.TXT, robots.txt, .gitignore, WSDL, pprof, etc.)<\/li>\n\n\n\n
      • Login or Forgot Password page brute force, account lockout not enforced, or insufficient password strength requirements<\/li>\n\n\n\n
      • Descriptive error messages (e.g. stack traces, application or server errors, path disclosure)<\/li>\n\n\n\n
      • Fingerprinting\/banner disclosure on common\/public services<\/li>\n\n\n\n
      • Clickjacking or any attack that requires clickjacking as a prerequisite.<\/li>\n\n\n\n
      • TLS\/SSL Issues, including BEAST BREACH, insecure renegotiation, bad cipher suite, expired certificates, etc.<\/li>\n\n\n\n
      • Email spoofing (including SPF, DKIM, DMARC, From:<\/em> spoofing, and visually similar, and related issues)<\/li>\n\n\n\n
      • WAF bypass<\/li>\n\n\n\n
      • Open redirects<\/li>\n\n\n\n
      • Lack of security speed bump page<\/li>\n\n\n\n
      • Internal IP address disclosure<\/li>\n\n\n\n
      • Self XSS<\/li>\n\n\n\n
      • Text injection<\/li>\n\n\n\n
      • Mass submissions\/account creation<\/li>\n\n\n\n
      • Lack of Secure and HTTP <\/li>\n\n\n\n
      • Only cookie flags<\/li>\n\n\n\n
      • HTTPS mixed content scripts<\/li>\n\n\n\n
      • Missing security headers<\/li>\n\n\n\n
      • All forms of Dos \/ DDoS<\/li>\n\n\n\n
      • Spelling and\/or grammar mistakes<\/li>\n<\/ul>\n\n\n\n