We use cookies to help us improve our webpage. Please read our Cookie Policy.

This Program only accepts vulnerability reports related to our products and web services. Vulnerability reports that are out of the program’s scope are not eligible for rewards; however, out-of-scope reports with critical vulnerabilities may be accepted depending on the situation.

Rewards

Please make sure the submitted reports contain enough information so that we can reproduce the issues you have reported. The value of the reward is determined based on the severity of the reported vulnerability and product category.

You are eligible for monetary rewards only if you have met all the following conditions:

  1. You are the first researcher to submit a report on a particular vulnerability.
  2. The vulnerability you reported is confirmed to be verifiable, replicable, and determined to be a valid security issue.
  3. You have complied with the program terms and regulations.

The monetary reward will be transferred to your bank account after the reported vulnerability has been disclosed by Synology Inc. This will take at least 90 days.

Please note that a good vulnerability report should include the following information in order to reduce our processing time:

  1. Provides a clear textual description of how to reproduce a vulnerability step-by-step. 
  2. Demonstrates how the vulnerability affects Synology products or web services, including their versions and platforms.
  3. States the potential damage caused by the reported vulnerability.

Bug investigation and reporting

Please contact us at bounty@synology.com if you have found a vulnerability, and use this PGP key encryption offered by Synology when sending bug reports to us. Synology Security Team will respond to your report within three work days, and will soon release the vulnerability fix according to its severity. Once the reported vulnerability has been confirmed to be eligible, your credit will be listed on our Security Advisory page and your monetary reward will be transferred to your bank account within 90 days.

When reporting a vulnerability, please provide a detailed proof of concept (PoC) and make sure the reported issues can be reproduced. We encourage you to provide succinct information. For example, a short PoC link is valued higher than a video explaining the consequences of an SSRF issue. Please note the following during bug investigation and reporting:

Synology reserves the right to change or cancel this Program, including its policies, at any time, without notice.

Frequently asked questions

How should I report a vulnerability? 

Please provide detailed PoC (Proof of Concept) and make sure the reported issues can be reproduced. Use this PGP key encryption offered by Synology when sending bug reports to us and do not disclose the relevant information to any third party.


Who is responsible for determining whether my bug report is eligible for a reward?

All the bug reports are reviewed and evaluated by Synology Security Team, which is comprised of Synology’s senior security analysts. 


What is the consequence if a bug is publicly disclosed before being fixed?   

We endeavor in responding to bug reports promptly and fixing them within a reasonable time period. Please notify us in advance before you publicly disclose the bug information. Any bug disclosure without following this principle will not be qualified for a reward. 


Are vulnerabilities found in outdated software such as Apache or Nginx qualified for a reward?

Please identify the vulnerabilities in the software and explain why you suspect they are detrimental to software use. Reports omitting this type of information are usually not qualified for a bounty. 


Can I request that my name not be listed on Synology’s Security Advisory page?

Yes. You can request not to be listed on our Security Advisory page. However, if you are qualified for a reward and wish to accept it, we will still need your contact information to process the payment.


Are vulnerabilities still eligible for a reward if they are reported to vulnerability brokers?

Privately disclosing a vulnerability to third parties for purposes other than bug fixing is contradictory to the spirit of our program. Therefore, such reports will not be qualified for a reward. 


Who is qualified for a bounty if the same bug is reported by more than one person?

The reward is granted to the first person who discovers a vulnerability that was previously unknown to us. 

Acknowledgement

We would like to thank the following researchers and parties for helping to improve Synology’s product security: 

If you would like to have your name listed on our acknowledgement page after the vulnerabilities you reported have been disclosed, please let us know when sending bug reports to us.


  • Muhammad Junaid Abdullah (https://twitter.com/snoviboy)
  • Kishan kumar (https://facebook.com/noobieboy007)
  • Lays (http://l4ys.tw)
  • Ashish Kumar (https://www.facebook.com/buggyashish)
  • Lakshay Gupta (http://linkedin.com/in/lakshay-gupta-44102a143)
  • Meng-Huan Yu (https://www.linkedin.com/in/cebrusfs/)
  • Ifrah Iman (http://www.ifrahiman.com)
  • Mohammed Israil (https://www.facebook.com/VillageLad, https://www.linkedin.com/in/mohammed-israil-221656128)
  • Taien Wang (https://www.linkedin.com/in/taienwang/)
  • Emad Shanab (@Alra3ees) (https://twitter.com/Alra3ees?s=09)
  • குகன் ராஜா (Havoc Guhan) (https://fb.com/havocgwen)
  • Yasser Gersy (https://twitter.com/yassergersy)
  • Ismail Tasdelen (https://www.linkedin.com/in/ismailtasdelen)
  • Thomas Fady (https://www.linkedin.com/in/thomas-fady)
  • Oliver Kramer (https://www.linkedin.com/in/oliver-kramer-670206b5)
  • 1N3@CrowdShield (https://crowdshield.com)
  • louys, Xie Wei (解炜), Li Yanlong (李衍龙)
  • Zuo Chaoshun (https://www.linkedin.com/in/chaoshun-zuo-5b9559111/)
  • Ali Razzaq (https://twitter.com/AliRazzaq_)
  • 丁諭祺(Yu-Chi Ding) from DEVCORE CHROOT
  • Alex Weber (www.broot.ca)
  • Alex Bastrakov (https://twitter.com/kazan71p)
  • Mehidia Tania (https://www.beetles.io)
  • freetsubasa (https://twitter.com/freetsubasa)
  • Łukasz Rutkowski (http://www.forit.pl/)
  • Maximilian Tews (www.linkedin.com/in/maximilian-tews)
  • Bryan Galao (https://www.facebook.com/xbryan.galao)
  • Jim Zhou (vip-cloud.cn)
  • Chun Han Hsiao
  • Nightwatch Cybersecurity Research (https://wwws.nightwatchcybersecurity.com)
  • Olivier Bédard
  • Mohamed Eldawody (https://www.facebook.com/Eldawody0)
  • Jose Hares (https://es.linkedin.com/in/jose-hares-arrieta-b419233b)
  • 郑吉宏通过 GeekPwn 平台提交
  • Independent Security Evaluators (ISE) labs
  • Honc 章哲瑜 (https://www.facebook.com/you.toshoot)
  • Sumit Jain
  • Ketankumar B. Godhani (https://twitter.com/KBGodhani)
  • karthickumar (Ramanathapuram)
  • Alireza Azimzadeh Milani
  • Taien Wang (https://www.facebook.com/taien.tw)
  • Frédéric Crozat (http://blog.crozat.net/)
  • Muhammad Hassaan Khan (https://www.facebook.com/Profile.Hassaan)
  • SSD/Kacper Szurek
  • Alexander Drabek (https://www.2-sec.com/)
  • RAVELA PRAMOD KUMAR (https://mobile.twitter.com/PramodRavela)
  • Kushal Arvind Shah of Fortinet’s FortiGuard Labs
  • Alvin Poon (https://alvinpoon.myportfolio.com/)
  • C.shahidyan, C.Akilan, K.Sai Aswanth
  • BambooFox (https://bamboofox.github.io/)
  • Sajibe Kanti (https://twitter.com/sajibekantibd)
  • Huy Kha (linkedin.com/in/huykha)
  • Pal Patel (https://www.linkedin.com/in/pal434/)
  • Pethuraj M (https://www.linkedin.com/in/pethu/)
  • Ali Ashber (https://www.facebook.com/aliashber7)
  • Muzammil Abbas Kayani (@muzammilabbas2 )
  • Tayyab Qadir (facebook.com/tqMr.EditOr)
  • Babar Khan Akhunzada (www.SecurityWall.co)
  • Mahad Ahmed (https://octadev.com.pk)
  • JD Duh (blog.johndoe.tw, www.linkedin.com/in/JD-Duh)
  • Mubassir Kamdar (http://www.mubassirkamdar.com)
  • Daniel Díez Tainta (https://twitter.com/danilabs)
  • Tushar Rawool (twitter.com/tkrawool)
  • Thrivikram Gujarathi (https://www.linkedin.com/in/thrivikram-gujarathi-certified-ethical-hacker-bug-bounty-hunter-53074796)
  • Ashish Kunwar (twitter: @D0rkerDevil)
  • Steven Hampton (Twitter: @Keritzy, https://stevenh.neocities.org/)
  • Peter Bennink (https://www.linkedin.com/in/peter-bennink/)
  • Thomas Fady (https://www.linkedin.com/in/thomas-fady/)
  • Roopak Voleti (https://m.facebook.com/sairoopak.voleti)