The Federal Reserve Vulnerability Disclosure Program

Protect The Federal Reserve by reporting security vulnerabilities through our Vulnerability Disclosure Program (VDP). Submit findings securely and support a transparent, proactive security process.

SUBMIT A VULN

* By submitting a vulnerability, you agree to the Terms of Service.

Introduction Scope Terms of Use Privacy Policy Get Started

Responsible Disclosure Policy:

This page is for security researchers interested in reporting application security vulnerabilities. This is intended for application security vulnerabilities only.

If you have reported an issue determined to be within program scope, is determined to be a valid security issue, and you have followed program guidelines, your finding will be recognized and you will be allowed to disclose the vulnerability after a fix has been issued. All submissions and queries regarding the Program should be submitted through the Submission Form.

Federal Reserve Disclosure Policy

The Federal Reserve commits to acknowledging disclosed vulnerabilities promptly and working with the security research community to mitigate or remediate weaknesses.

The Federal Reserve asks participating security researchers to:

  • Provide the Federal Reserve reasonable time to fix reported issue before disclosing issues to outside parties
  • Not publicly disclose vulnerabilities or related details without explicit written authorization from the Federal Reserve
  • Not include sensitive or identifying data in any public disclosures

Additional policy details may be found in the root-level /.well-known/security.txt file on some Federal Reserve domains.

Program Rules

  • Avoid mass scanning Federal Reserve domains. Offending IP addresses may be blocked.
  • Please provide detailed reports of the process you used and vulnerabilities identified with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue may not be marked as triaged.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, the Federal Reserve only triages the first report that was received (provided it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be treated as one valid report.
  • Do not engage in social engineering (e.g., phishing, vishing, smashing).
  • Avoid violating individual privacy rights, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • Do not exploit beyond what is necessary to demonstrate vulnerability presence.
  • Avoid accessing content of communications, data, or information on Federal Reserve information systems except to the extent that information directly relates to the vulnerability and is necessary to prove the vulnerability exists.
  • Do not store or share non-public data obtained through testing except to the extent necessary to communicate the finding to the Federal Reserve.
  • Do not submit a high-volume of low-quality reports.
  • If you are uncertain whether to continue testing, please engage with our team at [email protected]

Typical Vulnerabilities Accepted

  • OWASP Top 10 vulnerability categories
  • Other vulnerabilities with demonstrated impact

Typical Out of Scope

  • Theoretical vulnerabilities
  • Informational disclosure of non-sensitive data
  • Low impact session management issues
  • Self XSS (user defined payload)

For a full list of program scope please visit the scope tab.

Responsible Disclosure Guidelines

  • Adhere to the Terms of Use of the Program
  • Work directly with the contacts of the Program on vulnerability submissions.
  • Provide detailed description of a proof of concept to detail reproduction of vulnerabilities
  • Do not engage in disruptive testing like DoS or any action that could impact the confidentiality, integrity or availability of information and systems
  • Do not engage in social engineering or phishing of customers or employees
  • Do not request compensation for time and materials or vulnerabilities discovered

Safe Harbor

We understand the reluctance some researchers have to share information about vulnerabilities they find because of the potential for criminal or civil liability. To encourage responsible research and disclosure of security vulnerabilities, we do not intend to assert claims under the Computer Fraud and Abuse Act or claims of trespass or similar legal theories against researchers who undertake in good faith to test our systems for vulnerabilities and who bring their findings promptly to our attention. You are expected, as always, to comply with all laws applicable to you and not to disrupt or compromise any data beyond what this VDP permits.

We reserve the right in our sole discretion to determine whether your actions are taken in good faith, are consistent with this policy, or are an inadvertent violation. Please contact us before engaging in conduct that you think may be inconsistent with or unaddressed by this policy. Your efforts to proactively contact us before engaging in any action inconsistent with or unaddressed by this policy will be an important factor in our determination.

Thank you for helping keep the Federal Reserve and our users safe!

Responsible Disclosure Rules of Engagement

  • No Denial of Service testing
  • No Physical or Social Engineering
  • No testing of Third-party Services
  • No uploading of any vulnerability or client-related content to third-party utilities (e.g. Github, DropBox, YouTube)
  • All attack payload data must use professional language
  • If able to gain access to a system, accounts, users, or user data, stop at point of recognition and report. Do not dive deeper to determine how much more is accessible.
  • When documenting a vulnerability, if a vulnerability is public, please make sure it is discreet and doesn’t identify the client.

In-Scope Targets

Any publicly-accessible system owned, operated, or controlled by the Federal Reserve System or Federal Reserve Banks, including any Federal Reserve owned web applications or services hosted on those systems.

Federal Reserve Bank sites use non-government top-level domains such as .com, .org, .net, etc.

Federal Reserve Bank domains include, but are not limited to:

  • federalreserveonline.org, etc.
  • atlantafed.org, etc
  • bostonfed.org, etc
  • chicagofed.org, etc
  • clevelandfed.org, etc.
  • dallasfed.org, etc.
  • kansascityfed.org, etc.
  • minneapolisfed.org, etc.
  • newyorkfed.org, etc.
  • philadelphiafed.org, etc.
  • richmondfed.org, etc.
  • sanfranciscofed.org, etc.
  • stlouisfed.org, etc.

Out-of-Scope Targets

This VDP applies to the private sector Federal Reserve Banks (generally .com and .org sites) and not the public sector Federal Reserve Board of Governors (.gov sites).

The following are beyond the scope of this VDP:

  • *.gov
    • This includes any United States government system, application, or service such as those pertaining to the Federal Reserve Board of Governors or the United States Department of the Treasury
  • People, including Federal Reserve employees, contractors, and vendors
  • Physical assets, including Federal Reserve property, facilities, and physical security controls
  • Federal Reserve Board of Governors

Activities

In-Scope Activities

Activities are limited exclusively to:

  • Testing to detect a vulnerability or identify an indicator related to a vulnerability
  • Sharing or receiving Federal Reserve information about a vulnerability or an indicator related to a vulnerability

All testing activities should abide by relevant laws

Header identification:

Sometimes abnormal traffic can be considered malicious. Please provide the following header to allow us to correctly identify your traffic:

  • `VDP-Synack-Researcher: username`
  • Also, please append `Synack/username` to the User Agent String

Out-of-Scope Activities

  • Do not harm the Federal Reserve, its customers, employees, or contractors
  • Do not intentionally compromise the privacy or safety of Federal Reserve personnel or any third parties
  • Do not intentionally compromise the intellectual property or other commercial or financial interests of any Federal Reserve personnel or entities, or any third parties
  • Do not exfiltrate or retain any data or sensitive information under any circumstances
  • Do not detrimentally compromise/alter, or destroy Federal Reserve or customer data
  • Do not perform physical testing
  • Do not perform social engineering, including phishing
  • Do not perform denial of service testing, including resource exhaustion
  • Do not hijack or intentionally disrupt legitimate user sessions
  • Do not degrade the quality of Federal Reserve assets, resources, or information
  • Do not conduct or initiate fraudulent financial transactions
  • Do not perform automated scanning

Vulnerabilities

 

In-Scope Vulnerabilities

All vulnerabilities are in scope for disclosure excepting those explicitly listed as out-of-scope below.

Out-of-Scope Vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug. The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
  • Attacks requiring Man in the Middle (MITM) or physical access to a user’s device.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Comma Separated Values (CSV) injection without demonstrating a vulnerability.
  • Missing best practices in SSL/TLS configuration without proof of concept/demonstrating a vulnerability.
  • Any activity that could lead to the disruption of service (DoS) for the Federal Reserve
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
  • Rate limiting or bruteforce issues on non-authentication endpoints
  • Missing best practices in Content Security Policy without demonstrating a vulnerability.
  • Missing HttpOnly or Secure flags on cookies not related to authentication or sessions
  • Missing email best practices (invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
  • Vulnerabilities only affecting users of outdated or unpatched browsers (More than 2 stable versions behind the latest released stable version)
  • Software version disclosure / banner identification issues / descriptive error messages or headers (e.g. stack traces, application or server errors).
  • Tabnabbing (persuading users to submit login details and passwords by impersonating a Federal Reserve website)
  • Open redirect – unless an additional security impact can be demonstrated
  • Issues that require unlikely user interaction unless an additional security impact can be demonstrated

Low Impact Vulnerabilities – Out of Scope

The following vulnerabilities are considered too low of an impact to the client and would be marked as Out of Scope if submitted:

  • Google Maps API Keys
  • Account/e-mail enumeration using brute-force attacks
    • Valid user account/email enumeration not requiring brute-force will be considered
  • Any low impact issues related to session management (i.e. concurrent sessions, session expiration, password reset/change log out, etc.)
  • Bypassing content restrictions in uploading a file without proving the file was received
  • Clickjacking/UI redressing
  • Client-side application/browser autocomplete or saved password/credentials
  • Descriptive or verbose error pages without proof of exploitability or obtaining sensitive information
  • Directory structure enumeration (unless the fact reveals exceptionally useful information)
  • Incomplete or missing SPF/DMARC/DKIM records
  • Issues related to password/credential strength, length, lockouts, or lack of brute-force/rate-limiting protections
    • Account compromises (especially admin) as a result of these issues will likely be considered VALID
  • Lack of SSL or Mixed content
    • Leaking Session Cookies, User Credentials, or other sensitive data will be reviewed on a case by case basis
    • If leaking of sensitive data requires MiTM positioning to exploit, it will be considered out of scope
  • Login/Logout/Unauthenticated/Low-impact CSRF
    • CSRF Vulnerabilities may be acceptable if they are of higher impact. Examples of low impact CSRF include: Add/Delete from Cart, Add/remove wishlist/favorites, Nonsevere preference options, etc.
  • Low impact Information disclosures (including Software version disclosure)
  • Missing Cookie flags
  • Missing/Enabled HTTP Headers/Methods which do not lead directly to a security vulnerability
  • Reflected file download attacks (RFD)
  • Self-exploitation (i.e. password reset links or cookie reuse)
  • SSL/TLS best practices that do not contain a fully functional proof of concept
  • URL/Open Redirection
  • Use of a known-vulnerable library which leads to a low-impact vulnerability (i.e. jQuery outdated version leads to low impact XSS)
  • Valid bugs or best practice issues that are not directly related to the security posture of the client
  • Vulnerabilities affecting users of outdated browsers, plugins or platforms
  • Vulnerabilities that allow for the injection of arbitrary text without allowing for hyperlinks, HTML, or JavaScript code to be injected
  • Vulnerabilities that require the user/victim to perform extremely unlikely actions (i.e. Self-XSS)
    • Self-XSS for a Persistent/Stored XSS will be considered. The only circumstances under which we will not require proof of impact to multiple users is for Persistent/Stored XSS in cases where only one set of credentials is available to the researcher and other users cannot be tested. We will require documentation or evidence reasonably proving the functionality is available to other users/backend team/admin for the report to be considered.
    • Any type of XSS that requires a victim to press an unlikely key combination is NOT in scope (i.e. alt+shift+x for payload execution)

Additional specific vulnerability types considered out of scope due to low impact:

    • IIS Tilde File and Directory Disclosure
    • SSH Username Enumeration
    • WordPress Username Enumeration
    • SSL Weak Ciphers/ POODLE / Heartbleed
    • CSV Injection
    • PHP Info
    • Server-Status if it does not reveal sensitive information
    • Snoop Info Disclosures

I. Overview

The following terms of use (the “Terms of Use”) apply when you view or use the Responsible Disclosure Program (the “Program”) hosted by Synack, Inc. (“Synack”, “we”, “our”, “us”) on Synack’s website at synack.com (https://www.synack.com/vdp/the-federal-reserve/)  (our “Site”). By using our Site, you agree to fully comply with and be bound by the Terms of Use. By using our Site, you agree to fully comply with and be bound by the Terms of Use. Please review them carefully. If you do not accept our Terms of Use, do not access and use our Site. If you have already accessed our Site and do not accept our Terms of Use, you should immediately discontinue use of our Site. Synack commits that, if we conclude, in our sole discretion, that a security vulnerability submitted through the Site complies with the Terms of Use and the applicable Responsible Disclosure Guidelines, Synack will not bring a private action against you or refer the matter for public inquiry

II. Privacy Policy

We respect the privacy of our Site visitors. Please refer to our Privacy Policy which explains how we collect, use, and disclose information that pertains to your privacy. When you access or use the Site, you signify your agreement to this Privacy Policy.

III. Eligibility Requirements

You agree that you will not under any circumstances:

  • Cause harm to us, our customers or others;
  • Be a resident of, or make your Submission from, a country or region against which the United States has issued export sanctions or other trade restrictions (e.g., Cuba, Iran, North Korea, Sudan, Syria and Crimea);
  • Be listed on the U.S. Department of the Treasury’s Specially Designated Nationals List;
  • Be in violation of any national, state, or local law or regulation;
  • Compromise our privacy or safety or the privacy or safety of our customers (including their customers) and our operation or the operation of our customers’ services;
  • Store, share, compromise or destroy our or our customers’ data; or
  • Be less than 14 years of age. If you are at least 14 years old, but are considered a minor in your place of residence, you must get your parent’s or legal guardian’s permission prior to participating in the program.

If we discover that you do not meet any of the criteria above, we will remove you from the Program. Any submissions you make to the Program, whether via the Program, in communications regarding an existing ticket for an existing submission , or by email shall be considered “Submission(s)” for purposes of these Terms of Use.

IV. Posting and Conduct Restrictions

By transmitting any Submission while using the Site, you agree, represent and warrant as follows:

  • You are solely responsible for your account and the activity that occurs while signed in to or while using your account;
  • You will not transmit content that is copyrighted or subject to third party proprietary rights, including privacy, publicity, trade secret, etc., unless you are the owner of such rights or have the appropriate permission from their rightful owner to specifically submit such content to us; and
  • You hereby affirm we have the right to determine whether any of your Submissions are appropriate and comply with these Terms of Use, remove any and/or all of your communications, and terminate your account with or without prior notice.
  • You will not send unsolicited bulk communications, interfere or attempt to interfere with the proper functioning our or our customers’ websites and systems, and will not publish or link to malicious content intended to damage or disrupt another user’s browser or computer; and
  • You will not take any action that we deem to impose or to potentially impose an unreasonable or disproportionately large load on our or our customers’ servers or network infrastructure.

V. Access Limitation; Appropriate Action

We reserve the right, but are not obligated, to limit or deny access to the Site and to take other appropriate action if a user violates these Terms of Use or engages in any activity that violates the rights of any person or entity or which we deem unlawful, offensive, abusive, harmful or malicious.

VI. License Grant

By transmitting your submission to the Program, you perpetually allow us and our affiliates and subsidiaries the unconditional ability to use, modify, create derivative work from, distribute, disclose and store the information provided in your report or to have others do the same on our behalf, and these rights cannot be revoked. You represent that the report is original to you and that you own all right, title and interest in the submission.

VII. Intellectual Property

You acknowledge and agree that we and our licensors retain ownership of all intellectual property rights of any kind related to the Site, including applicable copyrights, trademarks and other proprietary rights. Other product and company names that are mentioned on the Site may be trademarks of their respective owners. We reserve all rights that are not expressly granted to you in the Terms of Use.

VIII. Disclaimer; Limitation of Damages; Release

OUR SITE IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, SECURITY, ACCURACY AND NON-INFRINGEMENT. WITHOUT LIMITING THE FOREGOING, WE MAKE NO WARRANTY OR REPRESENTATION THAT ACCESS TO OR OPERATION OF THE SITE WILL BE UNINTERRUPTED OR ERROR FREE. YOU ASSUME FULL RESPONSIBILITY AND RISK OF LOSS RESULTING FROM YOUR DOWNLOADING AND/OR USE OF FILES, INFORMATION, CONTENT OR OTHER MATERIAL OBTAINED FROM THE SITE. TO THE EXTENT PERMITTED BY LAW, IN NO EVENT SHALL WE, OUR AFFILIATES, DIRECTORS, EMPLOYEES OR ITS LICENSORS OR PARTNERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR OTHER INTANGIBLE LOSSES, THAT RESULT FROM (A) THE USE, DISCLOSURE, OR DISPLAY OF YOUR INFORMATION OR CONTENT; (B) YOUR USE OR INABILITY TO USE THE SITE; (C) THE SITE GENERALLY OR THE SOFTWARE OR SYSTEMS THAT MAKE THE SITE AVAILABLE; OR (D) ANY OTHER INTERACTIONS WITH THE SITE OR ANY OTHER USER OF THE SITE, WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE) OR ANY OTHER LEGAL THEORY, WHETHER OR NOT WE HAVE BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGE, AND EVEN IF A REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.

IX. Confidentiality

Any information you receive or collect about us or any of our customers through the Program (“Confidential Information”) must be kept confidential and only used in connection with the ResponsibleDisclosure.com Disclosure Program. You may not use, disclose or distribute any such Confidential Information, including, but not limited to, any information regarding your Submission and information you obtain when researching the sites of our customers, without our prior written consent.

X. Indemnity

You agree to defend, indemnify and hold harmless us, our parent company, officers, directors, employees and agents, from and against any and all claims, damages, obligations, losses, liabilities, costs or debt, and expenses (including but not limited to reasonable attorney’s fees) arising from: (i) your use of and access to the Site; (ii) your violation of any term of these Terms of Use; (iii) your violation of any third party right, including without limitation any copyright, property, or privacy right; or (iv) any claim that any content submitted by you causes damage to a third party. This defense and indemnification obligation will survive these Terms of Use and your use of the Site and the Program.

XI. Modifications of Terms of Use

We can amend these Terms of Use at any time and will update these Terms of Use in the event of any such amendments. It is your sole responsibility to check the Site from time to time to view any such changes. If you continue to access or use the Site, you signify your agreement to our revisions to these Terms of Use.

XII. Applicable Laws; Venue

These Terms of Use and your use of the Site are governed by the federal laws of the United States of America and the laws of the State of California. Any action related to this Site will be filed only in the appropriate state or federal court located within San Mateo County, California. By using this Site, you signify your consent to the jurisdiction of the state and/or federal courts located with San Mateo County, California.

XIII. Suggestions and Feedback

We welcome your feedback and inquiries. If you have any comments or questions, please contact us by sending an email to [email protected].

Last updated: January 8, 2025

Synack, Inc. (“Synack”, “we”, “our”, “us”), a Delaware corporation with offices at 303 Twin Dolphin Drive, 6th Floor, Redwood City, California 94065, United States of America, is committed to protecting and respecting your privacy. This Synack Privacy Policy (our “Privacy Policy”) explains how we collect, use, process and disclose personal information in connection with your use of Synack’s website at synack.com (https://www.synack.com) and/or one of our applications, platforms, and other online services (collectively, our “Sites”). Please take a moment to read our Privacy Policy carefully. If you have any questions about our Privacy Policy, please contact us at [email protected].

Please note our Sites can contain links to third-party websites, applications, and services. Information collected by third parties is governed by their privacy practices. We do not take any responsibility for those third-party websites, applications, and services, nor how information shared through them is used, and we expressly disclaim any and all liability for the actions of third parties, including but without limitation to actions relating to the use and/or disclosure of personal information by third parties. We encourage you to learn about the privacy practices of those third parties.

ACKNOWLEDGMENT OF PRIVACY POLICY

By using our Sites you are acknowledging the terms of our Privacy Policy and accepting our Terms of Use, and acknowledge our collection, use, disclosure, and retention of your personal information as described in our Privacy Policy. If you do not agree with our Privacy Policy or our Terms of Use, you should not access our Sites.

INFORMATION WE COLLECT

When you access or use our Sites we collect certain categories of information about you from a variety of sources. Some features of our Sites may require you to directly enter certain information about yourself. You provide us with information in the following circumstances:

  • When you contact us. You provide personal information when contacting us through our Sites. For example, we will collect your first and last name, user name, company name, job title, email address, postal address, and phone number when you ask to download content (such as white papers), register for a webcast or other event, or subscribe to email lists.
  • When you create a customer account on our platform. When you create a customer account on our platform you will be required to provide us with your first and last name and email address. Customer account holders can provide us with additional information while using our platform’s messaging system.
  • Social media platforms. Our Sites also include social media features that may collect your IP address, which webpage you are visiting on our Sites, and may set a cookie to enable the feature to function properly. Your interactions with these features are governed by the privacy policy of the company providing it.
  • When you participate in a focus group, activity, or other events sponsored by us or other third parties we will collect from you your first and last name, company name, job title, email address and phone number.

We also automatically collect certain information when you visit our Sites from your computer, mobile phone or other access device. This information includes your location, computer operating system, Internet Protocol (IP) address, access times, browsing history and web log information, browser type and language, and “click stream” data, such as domain names and page views.

Finally, we obtain information about you from third parties. Such information may include:

  • Information we collect by going directly to third parties, such as advertising publishers, and marketing or analytics companies. We use this information to better understand our audience base, and customize our advertising and marketing.
  • Your first and last name, company name, job title, email address and phone number from event sponsors, including from industry tradeshows and conferences.

HOW WE USE COOKIES

We use cookies to collect information about your browsing activities on our Sites over time. Cookies allow us to recognize and count the number of users and to see how users move around our Sites. This helps us to improve the services we provide to you and the way our Sites work. For information on what cookies are, which ones we use, why we use them, and how you can manage their use, please see our Cookies Policy.

Your browser settings may allow you to transmit a “do not track” signal, “opt-out preference” signal, or other mechanism for exercising your choice regarding the collection of your personal information when you visit various websites. We respond to such signals and requests in accordance with our legal obligations and the practices described in this Privacy Policy. To learn more about “Do Not Track” signals, you can visit http://www.allaboutdnt.com/.

HOW WE USE INFORMATION WE COLLECT

In order to fulfill our contract with you, we process your personal information to administer your account and provide the services described in our Terms of Use.

Additionally, in order to be responsive to you, to provide effective services to you, and to maintain our business relationship, as a matter of our legitimate interests we will use the information we collect from you to:

  • personalize our Sites to ensure our content from our Sites is presented in the most effective manner for you and your device;
  • monitor and analyze trends, usage and activity in connection with our Sites and services to improve our Sites;
  • measure and understand the effectiveness of the content we serve to you and others;
  • communicate with you;
  • keep our Sites safe and secure, which includes enforcing our Terms of Use;
  • process requests submitted through a Responsible Disclosure Program on behalf of our customers;
  • communicate with you about products, services, promotions, events and other news and information we think will be of interest to you; or
  • provide third parties with statistical information about our users (but those third parties will not be able to identify any individual user from that information).

We obtain your consent to process your personal information for the following reasons:

  • Sign you up for our newsletter or alerts;
  • Communicate with you regarding any Responsible Disclosure Program submissions made by you;
  • Personalize our services for you; and
  • If you opted into marketing, to communicate with you about products, services, marketing, promotions, events and other news and information we think will be of interest to you.

In addition, we will use some or all of the above personal information to comply with any applicable legal obligations and to protect or defend our rights, the rights of our users, or others.

HOW WE DISCLOSE YOUR INFORMATION

We do not disclose your personal information with third parties other than as described above and as follows:

  • We disclose your personal information with service providers who help with parts of our business operation, such as cloud storage providers, IT service providers, and analytics and search engine providers that assist us in the improvement and optimization of our Sites.
  • We may disclose your personal information with advertising publishers, marketing and analytics companies.
  • We may disclose your personal information with third parties in order to (a) comply with laws and respond to lawful requests and legal process, (b) enforce our Terms of Use, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Synack, its users or the public as required or permitted by law.
  • We may disclose or transfer your personal information to a third party if we sell, transfer, divest, or disclose all or a portion of our business or assets to another company in connection with or during negotiation of any merger, financing, acquisition, bankruptcy, dissolution, transaction, or proceeding.
  • We will otherwise disclose your information as directed by you or subject to your consent.
  • If you made a submission through a Responsible Disclosure Program, we will disclose the details of your submission including contact details and related communication contents to the applicable customer for the purpose of reviewing and responding to your submission.
  • With respect to those users who have a username (and personal photo or avatar, if any, provided by you and associated with your user name), such information will be displayed on our Sites.

Information you provide through your participation in research projects, community discussions, chats, and any correspondence through our Sites, will be disclosed to other users, our customers or otherwise displayed on our Sites.

CALIFORNIA RESIDENTS

This section applies only to California residents.

Processing of Personal Information

In the preceding 12 months, we collected and disclosed for a business purpose the following categories of personal information about residents:

Categories of Personal Information Categories of Recipients
Identifiers, such as your first and last name, user name, Internet Protocol (IP) address and email address Cloud storage providers, IT service providers, analytics and search engine providers
Personal information categories listed in the California Customer Records statute, such as your postal address and phone number Cloud storage providers, IT service providers, analytics and search engine providers
Internet or other similar network activity, such as your computer operating system, access times, browsing history and web log information, browser type and language, and “click stream” data, such as domain names and page views Cloud storage providers, IT service providers, analytics and search engine providers
Geolocation data, such as information about your location Cloud storage providers, IT service providers, analytics and search engine providers
Professional or employment-related information, such as your company name and job title Cloud storage providers, IT service providers, analytics and search engine providers
Other information, such as any information customer account holders provide us with in the course of their use of our platform’s messaging system Cloud storage providers, IT service providers, analytics and search engine providers
Responsible Disclosure Program submission information, including the name and email address you provide. The applicable customer

We do not collect, use, or disclose personal information for purposes other than those specified in this Privacy Policy. The purposes for which we collect your personal information are described in the section above, How We Use Your Information, and the categories of sources from which we collect your personal information are described in the section above, Information We Collect. We disclosed personal information over the preceding 12 months for the business purposes described in the section above, How We Disclose Your Information. Finally, the criteria we use to determine how long to retain personal information is described in the section below, Security and Retention of Your Information.

Selling or Sharing Personal Information / Opting-Out of Targeted Advertising

Synack does not “sell” (as “sell” is traditionally defined) personal information about our consumers. We do not make available or provide consumer’s names, phone numbers, addresses, email addresses, or other personal information to third parties in exchange for money.  Like many companies, however, we have shared (as that term is defined in the CCPA) personal information in the preceding 12 months with third parties to provide you with personalized advertising about our Services when you visit other websites, better understanding our audience base, and customizing our advertising and marketing campaigns.  This is considered a (1) “sale’’ or a (2) a “share” of personal information to target advertisements to a consumer under the CCPA, which is subject to a right of opt-out in some jurisdictions.

If you wish to opt-out of such sharing and targeted advertising, you can do so by opting-out of being tracked by these technologies through our Cookie Settings Tool. Please note, some transfers of personal information may not be subject to this opt-out, and your selection does not affect other sharing of personal information about you as outlined in our Privacy Policy. For questions, please email [email protected].

WHERE WE STORE YOUR PERSONAL INFORMATION

Our Sites and the servers upon which our Sites are hosted are located in the United States. The personal information that we collect from you will be transferred to the United States. The personal information held by us will be stored in the United States. We will take all steps reasonably necessary to ensure that your personal information is treated securely and in accordance with our Privacy Policy.

In case of transfers of personal information out of Europe, see the “EU–U.S. Data Transfers” section of our Privacy Policy.

SECURITY AND RETENTION OF YOUR INFORMATION

We follow generally accepted industry standards to protect personal information submitted to us from unauthorized access, both during transmission and once we receive it. However, no data transmission over the Internet or other network can be guaranteed to be 100% secure. As a result, while we strive to protect information transmitted on or through Sites, we cannot and do not guarantee the security of any information you transmit on or through our Sites, and you do so at your own risk.

We retain the Personal Information we process for as long as needed to provide services to our users or as necessary to fulfil the purpose(s) for which it was collected. We will retain and use this Personal Information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

AGE LIMITATIONS

We do not knowingly collect personal information from children under 16. If we learn that we have collected the personal information of a child under 16, we will take steps to delete the information as soon as possible.

YOUR DATA PRIVACY RIGHTS

You may have rights under relevant data privacy laws, including the CCPA, the General Data Protection Regulation (EU) 2016/679 (the GDPR), the UK GDPR and other applicable laws and regulations.

Depending on where you are based, those rights can include the right to:

  • Access/Know: request access or copies of your personal information Synack processes and details of how we use it, and who we share it with;
  • Correction: rectify incorrect personal information;
  • Erasure: in certain circumstances you have the right to request that we delete your personal information;
  • Restriction: restrict the processing of your personal information other than for storage purposes, in certain circumstances;
  • Portability: request a commonly structured, machine-readable copy of your personal information and that such information is transferred to another data controller in certain circumstances and with certain exceptions;
  • Right to Opt out of Sale or Sharing: direct us not to “sell” or “share” your personal information (as those terms are defined under the CCPA). To exercise this right, please click here;
  • Objection: object to our processing of your personal information;
  • Complain: lodge complaints with the competent data protection supervisory authority in the EEA country in which you live or work or where you think we have infringed data protection laws or with the UK Information Commissioner’s Office, as applicable to you, though we would encourage you to contact us in the first instance to relay any concerns; and/or
  • Non-discrimination: not to be discriminated against for exercising any of these rights.

Please note that a number of these rights only apply in certain circumstances, and all of these rights may be limited by law. For example, these rights may be limited where fulfilling your request would adversely affect other individuals or our trade secrets or intellectual property, where there are overriding public interests or where we are required by law to retain your personal information.

To exercise these rights, or to ask questions or relay concerns, please contact us via email at [email protected], phone at +1 (855) 796-2251 or by mail at: Synack, Inc., Attn: Legal Department, 303 Twin Dolphin Drive, 6th Floor, Redwood City, California 94063, United States of America.

To respond to some rights, we may need to verify your request either by asking you to log in and authenticate your account or otherwise verify your identity by providing information about yourself or your account. Authorized agents can make a request on your behalf if you have given them legal power of attorney or we are provided proof of signed permission, verification of your identity, and, in some cases, confirmation that you provided the agent permission to submit the request.

WITHDRAWAL OF CONSENT

Where you have provided your consent to us processing your personal information, you can withdraw your consent at any time by contacting us at [email protected].

OBJECTION TO MARKETING

You have the right to opt-out of receiving promotional emails from Synack by following the instructions in those emails. If you opt-out, we could still send you non-promotional emails, such as emails about your Synack account or our ongoing business relations. You can also send requests about your contact preferences or changes to your information, including requests to opt-out of disclosing your personal information with third parties, to our contact information below.

If you have an account, you can choose to either temporarily set your account offline or permanently delete it. In the event you choose to set your account offline, you will not be able to use our Sites until you decide to reactivate your account and your information will remain with Synack. In the event you delete your account, we will delete all personal information.

EU – U.S. DATA TRANSFERS

European Union Model Contract Clauses

Synack offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the European Economic Area, UK or Switzerland. A copy of our standard data processing addendum incorporating the Standard Contractual Clauses is available here. To the extent that Synack receives from a Customer any personal information of individuals located in the European Economic Area, UK or Switzerland, the parties will be deemed to have entered into the applicable Standard Contractual Clauses in respect of such transfer, whereby Synack is the “data importer” and the Customer is the “data exporter,” unless otherwise agreed.

EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF)

Synack complies with the EU-U.S. Data Privacy Framework program (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework program (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.  Synack has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.  Synack has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework program Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland inreliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Synack is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission.

Synack is responsible for the processing of personal information it receives and subsequently transfers to a third party acting as an agent on its behalf.

Synack commits to cooperate with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commission (FDPIC) and comply with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.

In certain situations, Synack could be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

PRIVACY DISPUTE RESOLUTION

In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), Synack commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. EU, UK, and Swiss individuals with inquiries or complaints should first contact Synack via email at [email protected], by phone at +1 (855) 796-2251 or by mail at: Synack, Inc., Attn: Legal Department, 303 Twin Dolphin Drive, Floor 6, Redwood City, California 94065, United States of America.

Synack has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms.  See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2.

CHANGES TO THIS PRIVACY POLICY

We update our Privacy Policy from time to time when our privacy practices change. When we update our Privacy Policy, we will revise the “Last updated” date above and post the new Privacy Policy to our Sites.

CONTACTING SYNACK

For questions about accessing, changing, or deleting your personal information, please visit http://www.synack.com/ or contact us at +1 (855) 796-2251 or via email at [email protected].

The Federal Reserve
Company Name

The Federal Reserve

Website

https://www.frbservices.org/

About

The Federal Reserve, the central bank of the United States, provides the nation with a safe, flexible, and stable monetary and financial system.

Submit a Vuln

Start Here

By submitting a vulnerability to our responsible disclosure program, you agree to the Terms of Service.