Syntorium
Home Services Work About Blog Contact
Start a project
Home Services Work About Blog Contact
// security

Security.

Found a vulnerability? Tell us. We treat security reports as the most useful kind of email we get, and we will not pursue legal action against good-faith research carried out under this policy.

Last updated: 6 May 2026 · Effective: 6 May 2026

How to report

Email security@syntorium.com. Please include enough detail for us to reproduce the issue:

  • The URL or specific endpoint affected.
  • A description of the vulnerability and its impact.
  • Step-by-step reproduction instructions, including any payloads, headers, or accounts used.
  • Screenshots, request / response captures, or short video where helpful.
  • Whether you have already disclosed the issue to anyone else.

If the issue is sensitive, you may encrypt your message. We will publish a PGP key at this URL when one is available; until then, please contact us first and we will arrange a secure channel.

What we commit to

  • Acknowledgement within 3 working days. A human will confirm we received your report and is looking at it.
  • Triage within 10 working days. We will tell you whether we have reproduced the issue, our initial severity assessment, and an indicative remediation timeline.
  • Status updates while we fix it. For non-trivial findings we send updates at least every two weeks until the issue is resolved.
  • Notification when the fix is live. We will tell you when the patch has shipped, and confirm the URL or system where the fix can be verified.
  • Credit, if you want it. We are happy to thank you publicly in our disclosure or on a hall-of-fame page once the fix is live, with whatever name and link you prefer. Anonymous reports are equally welcome.

Scope

This policy covers infrastructure operated by Syntorium FZ-LLC and used to deliver our marketing presence and corporate communications. Specifically:

  • syntorium.com and any subdomain we operate.
  • The contact form and the email transport that backs it.
  • Our DNS, MX, SPF, DKIM, and DMARC configuration for the syntorium.com domain.
  • Public assets we host and link from this Site.

Out of scope

The following are not in scope. We will not act on reports against them and we ask that you do not test them under this policy:

  • Systems we operate on behalf of clients. Those have their own security contacts and disclosure processes; please contact the respective client directly.
  • Third-party services we use (Cloudflare, our email provider, our hosting provider, GitHub, and so on). Each operates its own security programme — please report to them directly.
  • Open-source repositories not owned by the Syntorium GitHub organisation. Please report to the project maintainers.
  • Social-engineering attacks against our team, our clients, or anyone else.
  • Physical attacks against our office.
  • Denial-of-service or volumetric testing of any kind. We monitor traffic and will block sources we judge abusive.

Findings we will likely close as informational

To save us both time, the following classes of report are unlikely to be considered vulnerabilities, unless you can demonstrate concrete impact:

  • Missing security headers (CSP, HSTS preload, X-Frame-Options, etc.) on a static page that has no authenticated session, no user input, and no sensitive content.
  • Output from automated scanners with no manual verification.
  • Username / email enumeration on the contact form.
  • Self-XSS or attacks requiring physical access to the victim's device.
  • Click-jacking on pages with no sensitive actions.
  • Reports about TLS configuration that match current Mozilla "intermediate" guidance.
  • Public information that is intentionally public (our office address, registration details, team identities).

Safe harbour

We consider security research conducted in accordance with this policy to be authorised. Provided you act in good faith, comply with the rules below, and do not cause harm:

  • We will not pursue legal action against you under the UAE Cybercrime Law (Federal Decree-Law No. 34 of 2021) or any equivalent statute, and we will make a reasonable effort to support you if a third party initiates action against you for activity carried out in good faith under this policy.
  • We will treat your report as confidential and will not disclose your identity without your consent, except where compelled by law.

Good faith means, at a minimum:

  • Avoiding privacy violations, degradation of user experience, disruption of production systems, and destruction or modification of data.
  • Stopping testing as soon as you have demonstrated the vulnerability — do not exfiltrate more data than is necessary to demonstrate impact, and do not pivot beyond the immediate finding.
  • Giving us a reasonable time to remediate before any public disclosure (we generally consider 90 days a reasonable default; we are happy to coordinate longer or shorter where the issue justifies it).
  • Complying with all applicable laws and the Acceptable Use clause of our Terms of use.

Coordinated disclosure

We follow coordinated disclosure. Once a fix is live, we are happy to support you in publishing a write-up. We ask that you give us advance notice of the publication date so we can be ready to respond to questions.

For our clients' systems

If you believe you have found a vulnerability in a system we operate on behalf of a client, we recommend reporting it to the client directly. If you cannot identify a security contact for them, you can email us at security@syntorium.com and we will pass the report on, with your consent, to the right team.

Questions

For anything else security-related — questions about our practices, due-diligence requests from prospective clients, copies of our security overview — email security@syntorium.com.

Software, marketing, and the infrastructure under both.
Designed, shipped, and operated by one team.

Founded
2019 · Dubai
Currently working with
11 retained clients
Hours
Sun–Thu · 09:00–18:00 GST

Syntorium

Production-grade software, marketing, and digital infrastructure for serious teams.

Available · Now
Services
  • Backend platforms & ERPs
  • Web app development
  • Mobile & desktop apps
  • API & integrations
  • WhatsApp Business
  • E-commerce
  • Cloud / DevOps
  • AI & automation
  • WordPress development
  • Digital marketing
Company
  • About
  • Case studies
  • Journal
  • Contact
  • Careers
Office
  • SPC Free Zone, E311
  • Sheikh Mohammed Bin Zayed Rd
  • Al Zahia, Sharjah · UAE
  • +971 52 820 0903
  • hello@syntorium.com
© 2026 Syntorium FZ-LLC · Registered in UAE
Privacy Terms Security
SYNTORIUM