Synack Red Team FAQs

Other questions - tweet us:

Tweet Us @synackredteam

Synack publishes a list of minimums and high payments for vulnerabilities by category, which is available to valid SRT members.

Missions are work that is claimed or assigned to individual SRT members. Each has a discreet payment, for a specific amount of work that must be accomplished in a timely manner.

Missions do not always require finding new vulnerabilities.

Vuln Ops, a part of Synack. No customer sets or awards payments, so the treatment of the SRT is professional and consistent.

A regular Mission such as “Check for default passwords” will earn $25-50, while an ad-hoc Mission can easily exceed $100+. Vulnerabilities vary based on their severity and novelty – typical $500 to several thousand dollars.

Our average vulnerability payment was in the $600-$900 range in 2020, with very wide variation on individual rewards.

Once on the SRT, you have access to Synack’s portal. It is an ethical hacking platform that seeks to make your hacking time efficient and lucrative.

Among other features, it alerts you to new targets, helps you with recon, keeps track of your reports, tells you what has been found already, and more.

Typically no, but you can make a request via [email protected] Publishing is only allowed with customer approval.

Synack ensures that there is a fair opportunity to find vulnerabilities by rotating access to targets across the SRT. This reduces the number of duplicate/wasted effort and helps manage researcher load on customer assets. The more researchers engage and participate, the more targets and opportunities they receive!

Such opportunities include (for example) periodic requests Synack for small set of researchers with specific skills and experience to look at specific targets in special circumstances.

To remain active on the SRT, researchers must meet the minimum annual requirements set forth in the annual productivity assessment.

Customers may from time to time use Synack’s messaging system to communicate with SRT members through the Synack Platform. These communications are typically regarding questions the customer has about work submitted by the SRT member.

Furthermore, Synack will not share the identity of its SRT members without the SRT member’s consent, unless required by law or in connection with an investigation of potential rules violations.

Three types:

  • Hunt for security vulnerabilities
  • Checks for weaknesses (“Missions”)
  • Patch Verification

Finding vulnerabilities pays the most. But you have to find them first. There is one exception: During an hours-long Initial Launch Period, we award to the best reporter for each vulnerability.

Missions are offered and snapped up quickly by SRT. Once you have one, you will earn the money guaranteed if you complete the Mission in time, and according to the rules.

There are a number of international, federal and state cybersecurity laws, including the U.S. Computer Fraud and Abuse Act, which potentially apply to your research on the Synack Platform. We advise you to become familiar with the laws that may apply to you. Your compliance with these laws as well as Synack’s Researcher Terms of Use (Researcher TOU) and the rules of engagement (ROE) applicable to your research will reduce the risk of any lawsuit being brought against you. Reach out to the Synack team in case you have questions on the Researcher TOU or any ROE.

To protect SRT members against certain third-party claims, Synack has agreed to indemnify SRT members against claims resulting from a customer mistake in providing an incorrect scope of work to Synack. The availability of the indemnity is subject to certain terms set forth in the Researcher TOU.

Synack provides security work for security researchers around the world. The majority is bug bounty-style hunting, where researchers compete on skill, speed and report quality to get their work accepted and ultimately paid. We also have Missions—which are payments for simpler work. Mission types included confirming or denying suspected vulnerabilities we find, or checking for specific weaknesses in a checklist form.

Synack also pays for patch verification, so get paid more to confirm a vuln you found has been closed.

From time to time, we offer special Missions that reflect work that needs to be done by our customers.

No. You decide how much time you spend, and get paid for what you accomplish. For most, hacking as an SRT member is something they do for a few hours each week.

For the best SRT, a significant income can be earned, equivalent or higher than the average annual wages of most countries.

SRT members are independent contractors of Synack. This will result in income reported via a 1099 form with the IRS for US SRT members and a W8BEN for non-US SRT members.

Synack operates responsibledisclosure.com, which has several public, unpaid programs on behalf of our customers. These are open to the public, including SRT.

Synack does not operate public, bounty-paying programs to avoid creating incentives that may encourage, or cover for, less than ethical hacking.

Synack customers are often large global and government institutions. However, we have a diverse set of customers including small companies and start-ups.