Security.
Found a vulnerability? Tell us. We treat security reports as the most useful kind of email we get, and we will not pursue legal action against good-faith research carried out under this policy.
How to report
Email security@syntorium.com. Please include enough detail for us to reproduce the issue:
- The URL or specific endpoint affected.
- A description of the vulnerability and its impact.
- Step-by-step reproduction instructions, including any payloads, headers, or accounts used.
- Screenshots, request / response captures, or short video where helpful.
- Whether you have already disclosed the issue to anyone else.
If the issue is sensitive, you may encrypt your message. We will publish a PGP key at this URL when one is available; until then, please contact us first and we will arrange a secure channel.
What we commit to
- Acknowledgement within 3 working days. A human will confirm we received your report and is looking at it.
- Triage within 10 working days. We will tell you whether we have reproduced the issue, our initial severity assessment, and an indicative remediation timeline.
- Status updates while we fix it. For non-trivial findings we send updates at least every two weeks until the issue is resolved.
- Notification when the fix is live. We will tell you when the patch has shipped, and confirm the URL or system where the fix can be verified.
- Credit, if you want it. We are happy to thank you publicly in our disclosure or on a hall-of-fame page once the fix is live, with whatever name and link you prefer. Anonymous reports are equally welcome.
Scope
This policy covers infrastructure operated by Syntorium FZ-LLC and used to deliver our marketing presence and corporate communications. Specifically:
- syntorium.com and any subdomain we operate.
- The contact form and the email transport that backs it.
- Our DNS, MX, SPF, DKIM, and DMARC configuration for the syntorium.com domain.
- Public assets we host and link from this Site.
Out of scope
The following are not in scope. We will not act on reports against them and we ask that you do not test them under this policy:
- Systems we operate on behalf of clients. Those have their own security contacts and disclosure processes; please contact the respective client directly.
- Third-party services we use (Cloudflare, our email provider, our hosting provider, GitHub, and so on). Each operates its own security programme — please report to them directly.
- Open-source repositories not owned by the Syntorium GitHub organisation. Please report to the project maintainers.
- Social-engineering attacks against our team, our clients, or anyone else.
- Physical attacks against our office.
- Denial-of-service or volumetric testing of any kind. We monitor traffic and will block sources we judge abusive.
Findings we will likely close as informational
To save us both time, the following classes of report are unlikely to be considered vulnerabilities, unless you can demonstrate concrete impact:
- Missing security headers (CSP, HSTS preload, X-Frame-Options, etc.) on a static page that has no authenticated session, no user input, and no sensitive content.
- Output from automated scanners with no manual verification.
- Username / email enumeration on the contact form.
- Self-XSS or attacks requiring physical access to the victim's device.
- Click-jacking on pages with no sensitive actions.
- Reports about TLS configuration that match current Mozilla "intermediate" guidance.
- Public information that is intentionally public (our office address, registration details, team identities).
Safe harbour
We consider security research conducted in accordance with this policy to be authorised. Provided you act in good faith, comply with the rules below, and do not cause harm:
- We will not pursue legal action against you under the UAE Cybercrime Law (Federal Decree-Law No. 34 of 2021) or any equivalent statute, and we will make a reasonable effort to support you if a third party initiates action against you for activity carried out in good faith under this policy.
- We will treat your report as confidential and will not disclose your identity without your consent, except where compelled by law.
Good faith means, at a minimum:
- Avoiding privacy violations, degradation of user experience, disruption of production systems, and destruction or modification of data.
- Stopping testing as soon as you have demonstrated the vulnerability — do not exfiltrate more data than is necessary to demonstrate impact, and do not pivot beyond the immediate finding.
- Giving us a reasonable time to remediate before any public disclosure (we generally consider 90 days a reasonable default; we are happy to coordinate longer or shorter where the issue justifies it).
- Complying with all applicable laws and the Acceptable Use clause of our Terms of use.
Coordinated disclosure
We follow coordinated disclosure. Once a fix is live, we are happy to support you in publishing a write-up. We ask that you give us advance notice of the publication date so we can be ready to respond to questions.
For our clients' systems
If you believe you have found a vulnerability in a system we operate on behalf of a client, we recommend reporting it to the client directly. If you cannot identify a security contact for them, you can email us at security@syntorium.com and we will pass the report on, with your consent, to the right team.
Questions
For anything else security-related — questions about our practices, due-diligence requests from prospective clients, copies of our security overview — email security@syntorium.com.