Vulnerability disclosure policy

How to report

Email a description of the issue to admin@syncanix.com.

• Steps to reproduce, or a proof of concept — enough for us to confirm the issue.
• Your assessment of the impact: what data or actions an attacker could reach.
• The affected surface — site, dashboard, API, widget, MCP server, or CLI.

What we commit to

• Acknowledgement within 3 business days of your report.
• Triage and an initial severity assessment within 7 days.
• A status update at least every 14 days until resolution.
• Public credit for the finding if you want it — or full anonymity if you prefer.

We run no paid bounty programme today. If that changes, this page and our security.txt will say so first.

Good-faith safe harbor

We will not pursue or support legal action against research conducted in good faith and within these rules:

• Do not access, modify, or retain data that is not yours; if you encounter someone else’s data, stop and report.
• Do not degrade the service for others — no volumetric testing against shared infrastructure.
• Test only against accounts and tenants you own or created for the purpose.

Scope

In scope: syncanix.com, app.syncanix.com, api.syncanix.com, cdn.syncanix.com (the embeddable widget), the per-tenant MCP surface, and the syncanix CLI.

Out of scope:

• Denial-of-service or volumetric findings.
• Social engineering, phishing, or physical attacks against people.
• Vulnerabilities in third-party services we use — report those to the vendor (we list them on our subprocessors page).
• Automated scanner output without a demonstrated, reproducible impact.

Coordinated disclosure

Please give us 90 days from your report (or a timeline we agree on together) before any public disclosure, so a fix can ship to every tenant first. We are happy to coordinate publication and will not sit on a confirmed issue.