Responsible Disclosure

We take security seriously. If you've discovered a vulnerability affecting Syntrix or our infrastructure, we want to hear about it before it's public.

Reporting

Email chandler@syntrix.solutions with:

• A description of the vulnerability
• Steps to reproduce
• The impact you believe it has
• Any proof-of-concept code or screenshots

We acknowledge receipt within 3 business days.

Scope

In scope:

• syntrix.solutions
• api.syntrix.solutions
• Any subdomain of syntrix.solutions

Out of scope:

• Denial-of-service attacks
• Social engineering of Syntrix staff or customers
• Physical attacks
• Findings from automated scanners without proof of impact
• Findings on third-party services we depend on (report to that vendor directly)

Safe harbor

We will not pursue legal action against researchers who:

• Make a good-faith effort to comply with this policy
• Do not access, modify, or destroy data they aren't authorized to
• Do not degrade service availability for others
• Give us reasonable time to remediate before public disclosure

Recognition

We don't currently offer a paid bug bounty. We will publicly thank researchers (with permission) in the changelog and send Syntrix swag once we have any.