Vulnerability Disclosure Policy

At Synthesized, the security of our platform and the protection of customer data are core priorities. We welcome contributions from security researchers and members of the public who help us identify potential vulnerabilities in our systems.

Scope

This policy applies to:

All public-facing services and assets owned and operated by Synthesized.
This excludes customer-managed or self-hosted deployments of Synthesized software, which are outside of our control.

Guidelines for Researchers

We ask that you:

Act in good faith and avoid privacy violations, destruction of data, or service disruption;
Provide us with a reasonable amount of time to investigate and remediate reported issues;
Refrain from disclosing vulnerabilities to the public or third parties until we have resolved the issue.

Out of Scope

The following are explicitly out of scope:

Self-managed or on-premise customer environments;
Social engineering, phishing, or physical attacks;
Denial of Service (DoS/DDoS) testing.

Reporting a Vulnerability

To report a security issue, please email:

📧 security@synthesized.io

Include as much detail as possible, such as:

Steps to reproduce the issue;
A proof-of-concept (if available);
Your contact details (optional).

We will acknowledge receipt within 5 business days and provide regular updates as we triage and resolve the issue.

Safe Harbor

We commit to:

Not pursuing legal action under the Computer Fraud and Abuse Act (CFAA) or DMCA against researchers who act in good faith and follow this policy;
Working with you to understand and resolve the issue quickly;
Crediting you publicly (with permission) if your report leads to a valid fix.