Even the most security conscious companies occasionally have vulnerabilities identified in their websites, demonstrating the value of human-powered security research as part of a comprehensive security defense. Synack is no exception. Every now and then we get asked how to report a vulnerability in the Synack.com website, and if Synack offers rewards for responsibly disclosed vulnerabilities. Here is a quick overview of our Security Incident Response Team (SIRT) process, and answers to some frequently asked questions.
- Vulnerabilities in the synack.com website can be reported to the Synack SIRT at secureATsynackDOTcom. You can expect a professional and respectful response from a human (not just an auto-response message) within two business days. Our PGP key is at the end of this post.
- Synack does not have a Hall of Fame. Our philosophy on delivering more meaningful rewards for security researchers is outlined on our blog.
- Synack’s business model is not an open bug bounty program. We only pay for vulnerabilities reported through our platform by Synack Red Team members. As the Synack Red Team is a closed community with stringent admission standards, we offer researchers who responsibly disclose a vulnerability in Synack.com the opportunity to take our admissions evaluations to join the SRT.
Vulnerability Researchers, we share your passion for security and believe in delivering meaningful rewards for high quality security research work. We welcome your application to the SRT (with or without a vulnerability submission to our SIRT).