search
globe
  • English
  • Français
  • German
  • Polski
Solutions
Product Experience Cloud for Brands
Product Experience Cloud for Brands
Product Experience Cloud for Retail
Product Experience Cloud for Retail
Master Data Management (MDM)
Master Data Management (MDM)
Product Information Management (PIM)
Syndication
Rich Media
GDSN
Vendor Central
Analytics
App Marketplace
AI GoPilots
Nutrition & Wellness
In-Store Solutions
Global Professional Services
Industries
Manufacturing
Retail
CPG
Foodservice
Restaurants & Operators
Industrial Manufacturing
Healthcare
Automotive Aftermarket
Partners
Become a Partner
Find a Partner
Enabler Partner
Partner Portal
Influencer Program
Syndigo Community
Resources
Blogs
eBooks
White Papers
Success Stories
Guides
Analyst Reports
Webinars
Glossary
Syndigo University
App Marketplace
Training
Documentation
AI Innovation
Sustainability
Company
About
Leadership Team
Careers
News
Events
Support
Talk to Sales
search
globe
  • English
  • Français
  • German
  • Polski
Talk to Sales
close

Responsible Disclosure Policy

This page is for security researchers interested in reporting application security vulnerabilities.

If you have reported an issue determined to be within scope, is determined to be a valid security issue, and you have followed program guidelines, Syndigo will recognize your finding and you will be allowed to disclose the vulnerability after a fix has been issued. Please refer all questions to the provided Bugcrowd form below. Although Syndigo is unable to offer compensation for reported findings (confirmed or not), responsibly disclosing these vulnerabilities are appreciated and are utilized in advancing the security field.

Typical vulnerabilities requiring responsible disclosure:

  • OWASP Top 10 vulnerability categories
  • Other vulnerabilities with demonstrated impact

Program Guidelines:

  • All forms of social engineering are strictly prohibited (phishing, vishing, smishing).
  • Performing vulnerability scans against Syndigo and its assets is strictly prohibited.
  • If user/client/vendor information is found in any form, do not verify them. Please inform us and we will validate them.
  • Adhere to all legal terms and conditions outlined at Syndigo.com.
  • Work directly with Syndigo on vulnerability submissions.
  • Provide detailed description of a proof of concept to detail reproduction of vulnerabilities.
  • Do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems.
  • Do not engage in social engineering or phishing of customers or employees.
  • Do not request compensation for time and materials or vulnerabilities discovered.

When submitting your vulnerability report, we request that the following are not submitted to us. We have numerous programs and tools internally that allow us to look for these categories of vulnerabilities and have likely already detected them, if present:

  • Out-of-date software
  • Theoretical vulnerabilities
  • Informational disclosure of non-sensitive data
  • Low impact session management issues
  • Self XSS (user defined payload)
  • Any attack requiring physical access to Syndigo offices, devices, servers, data centers, personnel, or any physical location.
  • User enumeration through brute forcing techniques or enumeration which requires message confirmations generated by Syndigo services, (i.e. using the forgotten password option and receiving a “user does not exist message”).
  • CSRF issues that don’t impact the integrity of an account.
  • Non-sensitive files and directories disclosure (e.g. README.TXT, CHANGES.TXT, robots.txt, .gitignore, WSDL, pprof, etc.)
  • Login or Forgot Password page brute force, account lockout not enforced, or insufficient password strength requirements
  • Descriptive error messages (e.g. stack traces, application or server errors, path disclosure)
  • Fingerprinting/banner disclosure on common/public services
  • Clickjacking or any attack that requires clickjacking as a prerequisite.
  • TLS/SSL Issues, including BEAST BREACH, insecure renegotiation, bad cipher suite, expired certificates, etc.
  • Email spoofing (including SPF, DKIM, DMARC, From: spoofing, and visually similar, and related issues)
  • WAF bypass
  • Open redirects
  • Lack of security speed bump page
  • Internal IP address disclosure
  • Self XSS
  • Text injection
  • Mass submissions/account creation
  • Lack of Secure and HTTP
  • Only cookie flags
  • HTTPS mixed content scripts
  • Missing security headers
  • All forms of Dos / DDoS
  • Spelling and/or grammar mistakes