Services / products in scope

  • DSM
    • DSM 6.1 latest version
    • Packages: Active Backup for Server, Active Directory Server, Antivirus Essential, Audio Station, Calendar, CardDAV Server, Chat, Cloud Station Server, Cloud Station Share Sync, Cloud Sync, CMS. Directory Server. DNS Server, Document Viewer, Download Station, File Station, Glacier Backup, Hyper Backup / Hyper Backup Vault, Log Center, Mailplus / Mailplus Server, Media Server, Note Station, PDF Viewer, Peta Space, Proxy Server, RADIUS Server, Office / Spread Sheet, SSO Server, Storage Analyzer, Surveillance Station, Universal Search, Synology Application Service, SMI-S Provider, Text Editor, USB Copy, Video Station, VPN Server, WebDAV Server, Web Station
  • SRM
    • SRM 1.1 latest version
    • Packages: VPN Plus
  • Synology cloud service
    • account.synology.com
    • c2.synology.com

Bug investigation and reporting

Please contact us at bounty@synology.com if you have found a vulnerability, and use this PGP key encryption offered by Synology when sending bug reports to us. Synology Security Team will respond to your report within 3 days, and will soon release the vulnerability fix according to its severity. Your credit will be listed on our Security Advisory page after the reported vulnerability is confirmed to be eligible, and your bounty will be transferred to your bank account within 60 days after the fix is released.

Any vulnerability testing must not violate any law. Please target only your own accounts and devices when investigating and testing a vulnerability, and never attempt to access accounts, devices, or data that are not your own. Any activity that is potentially detrimental to Synology or its users is strictly forbidden. 

When reporting a vulnerability, please provide detailed PoC (Proof of Concept) and make sure that the reported issues can be reproduced. We encourage you to provide succinct information. For example, a short proof-of-concept link is valued higher than a video explaining the consequences of a SSRF issue. Please note the following during bug investigation and reporting:

Disclosing any bug information before our prior approval or posting anything that may negatively impact this program or Synology are strictly forbidden. In addition, you must never attempt to affect Synology’s official services or violate any applicable laws or regulations.

Please note that we only respond to technical vulnerability reports. For non-security bugs or queries, please contact Synology Support Center.

Synology reserves the right to change or cancel this Program, including its policies, at any time, without notice.

Qualifying vulnerabilities

  • Server-side Remote Code Execution (RCE)
  • Stored Cross-site Scripting (XSS)
  • Cross-site Request Forgery
  • Server-Side Request Forgery (SSRF)
  • SQL Injection
  • XML External Entity Attacks (XXE)
  • Access Control Issues
  • Exposed Administrative Panels that doesn't require login credentials
  • Directory Traversal Issues
  • Local File Disclosure (LFD)

Non-qualifying vulnerabilities

Synology reserves the right to determine whether a reported issue is qualified for a reward. In certain cases, software bugs are not considered as security issues. Some of the exceptions are listed as follows: 

  • Outdated services or products
  • XSS issues affecting only outdated browsers
  • Most brute force attack issues
  • Security bugs in software related to an acquisition for a period of 90 days following any public announcement
  • Reports stating that a software is out of date/vulnerable but without a proof of concept
  • Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)
  • Reports derived from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
  • Denial of Service Attacks
  • Reflected File Download (RFD)
  • Physical or social engineering attempts
  • Content injection issues
  • Missing autocomplete attributes
  • Missing cookie flags on non-security-sensitive cookies
  • Issues that require physical access to a victim’s computer
  • Missing security headers that do not present an immediate security vulnerability
  • Fraud issues
  • SSL/TLS scan reports (e.g., output from sites such as SSL Labs)
  • Banner grabbing issues (figuring out what web server we use, etc.)
  • Opened ports without providing proof-of-concept demonstrating vulnerability
  • Recently disclosed 0-day vulnerabilities

Reward

Qualified bug reports will be rewarded US$50 to $5,000. Please make sure that enough information is provided so that we can reproduce the issues you reported. For example, screenshots and videos are helpful materials. Bug reports should be submitted according to our program terms and conditions and should not be disclosed publicly without our prior consent.

Rewards are offered depending on the severity of the reported bugs; that is, higher rewards may be granted to researchers who are exceptional in discovering severe vulnerabilities. A single report that actually contains multiple bugs may warrant a higher reward, while cases of multiple reports that are in fact highly associated may only be qualified for a single reward. 

You will be eligible to receive a bounty only if you meet all the following conditions: 

  1. You are the first person to submit a particular vulnerability to us.
  2. Synology confirms that the vulnerability you reported is verifiable, replicable, and determined to be a valid security issue.
  3. You have complied with the program terms and conditions.

Bounty payment, if any, as well as its format, currency, and timing shall be determined at Synology’s sole discretion. Those who are qualified for a bounty are responsible for any related tax implications, depending on their country of residence and citizenship. 

Synology reserves the right to change or cancel this Program, including its policies, at any time, without notice.

Frequently asked questions

How should I report a vulnerability? 

Please provide detailed PoC (Proof of Concept) and make sure the reported issues can be reproduced. Use this PGP key encryption offered by Synology when sending bug reports to us and do not disclose the relevant information to any third party.


Who is responsible for determining whether my bug report is eligible for a reward?

All the bug reports are reviewed and evaluated by Synology Security Team, which is comprised of Synology’s senior security analysts. 


What’s the consequence if a bug is publicly disclosed before it is being fixed?   

We endeavor in responding to bug reports promptly and fixing them within a reasonable time period. Please notify us in advance before you publicly disclose the bug information. Any bug disclosure without following this principle will not be qualified for a reward. 


Are vulnerabilities found in outdated software such as Apache or Nginx qualified for a bounty?

Please identify the vulnerabilities in the software and explain why you suspect they are detrimental to software use. Reports omitting this type of information are usually not qualified for a bounty. 


Can I request that my name not be listed on Synology’s Security Advisory page?

Yes. You can request not to be listed on our Security Advisory page. However, if you are qualified for a reward and you wish to accept it, we will still need your contact information in order to process the payment.


Are vulnerabilities still eligible for a reward if they are reported to vulnerability brokers?

Privately disclosing a vulnerability to third parties for purposes other than bug fixing is contradictory to the spirit of our program. Therefore, such reports will not be qualified for a reward. 


Who is qualified for a bounty if the same bug is reported by more than one person?

The reward is granted to the first person who discovers the vulnerability previously unknown to us. 

Acknowledgement

We would like to thank the following researchers and parties for helping to improve Synology’s product security: 

If you would like to have your name listed on our acknowledgement page after the vulnerabilities you reported have been disclosed, please let us know when sending bug reports to us.

2017

  • Honc 章哲瑜 (https://www.facebook.com/you.toshoot)
  • Sumit Jain
  • Ketankumar B. Godhani (https://twitter.com/KBGodhani)
  • karthickumar (Ramanathapuram)
  • Alireza Azimzadeh Milani
  • Taien Wang (https://www.facebook.com/taien.tw)
  • Frédéric Crozat (http://blog.crozat.net/)
  • Muhammad Hassaan Khan (https://www.facebook.com/Profile.Hassaan)
  • SSD/Kacper Szurek
  • Alexander Drabek (https://www.2-sec.com/)
  • RAVELA PRAMOD KUMAR (https://mobile.twitter.com/PramodRavela)
  • Kushal Arvind Shah of Fortinet’s FortiGuard Labs
  • Alvin Poon (https://alvinpoon.myportfolio.com/)
  • C.shahidyan, C.Akilan, K.Sai Aswanth
  • BambooFox (https://bamboofox.github.io/)
  • Sajibe Kanti (https://twitter.com/sajibekantibd)
  • Huy Kha (linkedin.com/in/huykha)
  • Pal Patel (https://www.linkedin.com/in/pal434/)