Bug Bounty Program

SyncEzy Bug Bounty Policy

At SyncEzy, we take the security and reliability of our integrations seriously. We value the efforts of the security research community in helping us maintain high standards of security. If you discover a vulnerability in our systems, we encourage you to report it to us so we can address it promptly. As a token of our appreciation, we offer rewards for valid reports that help improve our services.

Reporting Guidelines:

• Submission: Send a detailed bug report to security [ at ] syncezy [ dot ] com.
• Report Content: Ensure that your report is clear and detailed, including:
  • Steps to reproduce the issue.
  • Proof of concept.
  • Relevant screenshots, videos, or logs.
  • Examples of downstream impacts.
  • Explanation of how this works, possible effects and downsides
  • Explanation of how you found this issue ?
  • Your / Organisation’s Genuine name as it would be on the invoice at payment stage.

• Restrictions:
  • Do not exploit the vulnerability beyond what is necessary to demonstrate its existence.
  • Do not Upload random images or data, capturing images, or anything that damages the SyncEzy brand or assets.
  • Do not violate the privacy of our users, disrupt our services, or destroy any data. 
  • Doing any of the above will result in disqualification from the bounty program as you are no longer an ethical hacker if you are causing damage.
  • Duplicate reports will not be paid. If multiple reports for the same issue are received, only the first submission will be eligible for a reward. Subsequent reports, even if they provide additional information, will not qualify for payment.
  • Public disclosure of vulnerabilities will not be paid. Bugs should only be reported directly to us and not shared publicly, including on social media, forums, blogs, or with any media outlets. Disclosing vulnerabilities to any public platform or third-party before allowing us to address the issue will disqualify the report from receiving a bounty.

• Eligibility:
  • Minor issues or spurious reports that do not pose a significant risk will not be eligible for rewards.
  • The decision of SyncEzy management on the severity of the bug report is final.
  • Bounties are only paid for P1, P2, and P3 bugs with clear and full disclosure. For P3 issues and lower, the bounty is at the discretion of the SyncEzy team.
  • Reports on the SyncEzy.com WordPress site, contact forms, chatbot inputs, and other basic errors do not qualify for the bug bounty.
  • Do NOT Start chats on the chatbot, contact support staff, or send emails / Linked in messages to SyncEzy team members. The right team will communicate with you through the ticket.
  • Report only genuine security issues, Do not report issues like SPF records, typos, supposed ways business logic could be different, for example phone number validation by OTP, etc. The system is designed to suit our and our customer’s business needs.

• Program Scope: The bug bounty program aims to make our integration platform secure. Reports not directly related to this will not qualify for the bounty.
• Authority: SyncEzy reserves the right to decide what qualifies as a bug for the program. Our team’s decision on the reports is final. We will make these decisions in line with the policy described above. We may change the reward or the policy as required by the business.

Exclusions:

• SyncEzy.com WordPress site.
• All standard WordPress-based vulnerabilities.  SyncEzy.com is a wordpress site.
• Basic issues like typos and non-critical subdomains.

After You Report:

Acknowledgment & Response limitations:

• You will receive an automated email acknowledging receipt of your report with a Ticket Number.
• We will only contact reporters of P1 or P2 level serious vulnerabilities. Confirmation of these genuine issues will be sent within 2 weeks of ticket submission.
• Please refrain from sending multiple reminders or starting different email threads asking for an update. If the ticket is a genuine issue and classified as P1 or P2, you will hear back from our team within 2 weeks for further communication and a request for an invoice.
• For all other submissions, you will receive an automated confirmation of ticket closure.
• Response Time: Please allow 2 weeks for us to respond. Do not contact the team on LinkedIn or via direct emails to follow up on the issue; we will communicate with you directly via the ticket.
• Acknowledgment of Valid Reports: All valid reports will be acknowledged with the severity and payment amount within 4 weeks of invoice.  
• Bounty Payment: For qualified reports, the payment will be made in the currency of your choice to a local bank account or PayPal as required. You may be required to provide an invoice with details. From the time an invoice is provided payment will be in the next payment cycle usually within 30 days.

Reward Structure:

P1 (Priority 1) : US$100 Reward

Critical vulnerabilities that require immediate attention and fixing. These vulnerabilities can lead to severe impact on confidentiality, integrity, and availability of the system.

• SQL Injection
• Remote Code Execution
• Authentication Bypass
• Privilege Escalation
• Sensitive Data Exposure (e.g., unencrypted sensitive data in transit)
• Critical Broken Access Control
• Severe Command Injection
• Critical Insecure Deserialization

P2 (Priority 2) : US$50 Reward

High-priority vulnerabilities that should be addressed promptly but are not as urgent as P1. These can still have significant impacts if exploited but might require more specific conditions to exploit.

• Stored Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Security Misconfiguration (e.g., default passwords, misconfigured permissions)
• Insufficient Logging and Monitoring (in critical systems)
• Sensitive Data Exposure (e.g., weak encryption)
• Insecure Direct Object References (IDOR)
• Reflected Cross-Site Scripting (XSS)

P3 (Priority 3) : US$25 Reward

Moderate and low-priority vulnerabilities that still need to be addressed but are less likely to cause significant harm. These issues might have a lower impact or be harder to exploit.

• DOM-based Cross-Site Scripting (XSS)
• Minor Security Misconfigurations
• Information Disclosure (e.g., detailed error messages)
• Weak Password Policies
• Improper CORS Configuration
• Insufficient Logging and Monitoring (in non-critical systems)
• Use of Components with Known Vulnerabilities (non-critical components)
• Business Logic Vulnerabilities (with limited impact)

Thank you for helping us keep SyncEzy secure!