Vulnerability Disclosure Policy
Last Updated: July 10, 2026
Synthro (Pty) Ltd. (“Synthro”) takes the security of our platform and our customers’ data seriously. We value the work of the security research community and welcome good-faith reports of vulnerabilities that could affect our services. This policy explains how to report an issue, what is in scope, and what you can expect from us.
How to report a vulnerability
Email security@synthro.io (or hello@synthro.io). To help us triage quickly and validate your report, please include:
- The exact affected asset or URL (e.g.
app.synthro.io/...). - The vulnerability class (e.g. IDOR, XSS, auth bypass, injection).
- Clear, reproducible steps or a minimal proof of concept.
- The realistic security impact (what an attacker could actually achieve).
Machine-readable details are published at /.well-known/security.txt.
Scope
In scope:
www.synthro.io— our public website.app.synthro.io— the Synthro application.- Our backend APIs and serverless (edge) functions.
Out of scope / generally not eligible. To keep signal high, the following are typically not treated as qualifying vulnerabilities unless you can demonstrate a concrete, exploitable security impact with a working proof of concept:
- Missing or “best-practice” email records (SPF/DKIM/DMARC) or HTTP security headers.
- Clickjacking on pages with no sensitive, state-changing action.
- Reports generated solely by automated scanners without a validated, exploitable finding.
- Self-XSS, or issues requiring a fully compromised device / physical access.
- Rate-limiting or brute-force concerns on non-authentication, non-sensitive endpoints.
- Denial-of-service, volumetric, or spam/mail-bombing techniques.
- Social engineering, phishing, or attacks against our staff or customers.
- Missing security.txt, version disclosure, or other purely informational findings.
What we ask of researchers
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
- Only interact with accounts you own or have explicit permission to test. Never access, modify, or exfiltrate other users’ data.
- Give us a reasonable opportunity to investigate and remediate before any public disclosure.
- Do not use automated high-volume scanning that degrades service for others.
Our commitment
- We aim to acknowledge valid reports within 5 business days.
- We will keep you informed as we validate and remediate the issue.
- With your permission, we are happy to publicly credit you once the issue is resolved.
No paid bug bounty. Synthro does not currently operate a monetary bug-bounty or reward program. Reports are handled on a responsible-disclosure basis, and we recognise valid contributions with public credit (where desired) — not payment. Please do not submit reports conditional on a fee.
Safe harbour
If you make a good-faith effort to comply with this policy during your research, we will consider your actions to be authorised, we will not pursue or support legal action against you, and we will work with you to understand and resolve the issue quickly. This policy does not authorise actions that violate applicable law.