Synack Inc.’s Vulnerability Disclosure Policy
Synack, Inc. (“Synack”) and the Synack Red Team, routinely conduct research into the security of commonly used applications, hardware, and products. The research is done to educate and protect end users of services and products. Synack recognizes that disclosure of vulnerabilities must be done in such a way that balances the safety of end users with providing vendors a reasonable amount of time to fix a vulnerability. This Vulnerability Disclosure Policy (“Policy”) outlines how Synack handles vulnerability disclosures to product vendors, security vendors and the general public. For the avoidance of doubt, this Policy is not applicable to Synack’s confidential contractual engagements with its customers, which are separate and distinct from the research projects described herein.
Synack will notify the appropriate product vendor of a security flaw within their product(s) and/or service(s). The first attempt at contact will be through any appropriate contacts or formal mechanisms listed on the vendor web site. If such contact information is not posted, Synack will make a best effort to locate an appropriate contact medium. Once a formal or appropriate contact mechanism has been found, the pertinent information about the vulnerability will be securely transmitted to the vendor.
If a vendor fails to acknowledge Synack’s initial notification within five (5) business days, Synack will initiate a second contact to vendor. If Synack exhausts all of the above means in order to contact a vendor, then Synack may, in its sole discretion, issue a public advisory disclosing its findings fifteen (15) business days after the attempt at initial contact.
If a vendor response is received within the timeframe outlined above, Synack requests that the vendor specify a desired timeframe for remediation. Synack will allow the vendor up to sixty (60) calendar days to address the vulnerability with a patch. At the end of the deadline or sooner (if notified by vendor), if the vulnerability has been patched, or if the vendor is not responsive or unable to provide a reasonable statement as to why the vulnerability is not fixed, Synack will publish a publicly-available advisory including mitigation in an effort to enable the defensive community to protect the user.
We realize some issues may take longer than the deadline to patch due to complexity and compatibility reasons and we are willing to work with vendors on a case-by-case basis on extensions. To maintain transparency in our process, if any vulnerability is given an extension, we plan on publishing the communication we’ve had with the vendor regarding the issue once it is patched. We hope that this level of insight into our process will allow the community to better understand some of the difficulties vendors have when remediating high-impact bugs. Synack will make every effort to work with vendors to ensure they understand the technical details and severity of a reported security flaw. If a product vendor is unable to, or chooses not to, patch a particular security flaw, Synack may offer to work with that vendor to publicly disclose the flaw with some effective workarounds.
In the event Synack feels it is appropriate to immediately alert the general public of a vulnerability due to the risk or safety to the end user of a product or service then Synack shall simultaneously advise the vendor and the general public of its findings. In Synack’s communication to vendor it shall list the factors used in deciding to immediately publish its findings.
Last Updated: November 1, 2015