This program only accepts vulnerability reports related to our products and web services. Vulnerability reports that are out of the program’s scope are not eligible for rewards; however, out-of-scope reports with critical vulnerabilities may be accepted depending on the situation.


Please make sure the submitted reports contain enough information so that we can reproduce the issues you have reported. The value of the reward is determined based on the severity of the reported vulnerability and product category.

You are eligible for monetary rewards only if you have met all the following conditions:

  1. You are the first researcher to submit a report on a particular vulnerability.
  2. The vulnerability you reported is confirmed to be verifiable, replicable, and determined to be a valid security issue.
  3. You have complied with the program terms and regulations.

The monetary reward will be transferred to your bank account after the reported vulnerability has been disclosed by Synology Inc. This will take at least 90 days.

Please note that a good vulnerability report should include the following information in order to reduce our processing time:

  1. Provides a clear textual description of how to reproduce a vulnerability step-by-step in English. 
  2. Demonstrates how the vulnerability affects Synology products or web services, including their versions and platforms.
  3. States the potential damage caused by the reported vulnerability.

Bug investigation and reporting

Please contact us at if you have found a vulnerability, and use this PGP key encryption offered by Synology when sending bug reports to us. Synology Security Team will respond to your report within three work days, and will soon release the vulnerability fix according to its severity. Once the reported vulnerability has been confirmed to be eligible, your credit will be listed on our Security Advisory page and your monetary reward will be transferred to your bank account, which will take at least 90 days.

When reporting a vulnerability, please provide a detailed proof of concept (PoC) and make sure the reported issues can be reproduced. We encourage you to provide succinct information. For example, a short PoC link is valued higher than a video explaining the consequences of an SSRF issue. Please note the following during bug investigation and reporting:

Synology reserves the right to change or cancel this Program, including its policies, at any time, without notice.

Frequently asked questions

How should I report a vulnerability? 

Please provide detailed PoC (Proof of Concept) and make sure the reported issues can be reproduced. Use this PGP key encryption offered by Synology when sending bug reports to us and do not disclose the relevant information to any third party.

Who is responsible for determining whether my bug report is eligible for a reward?

All the bug reports are reviewed and evaluated by Synology Security Team, which is comprised of Synology’s senior security analysts. 

What is the consequence if a bug is publicly disclosed before being fixed?   

We endeavor in responding to bug reports promptly and fixing them within a reasonable time period. Please notify us in advance before you publicly disclose the bug information. Any bug disclosure without following this principle will not be qualified for a reward. 

Are vulnerabilities found in outdated software such as Apache or Nginx qualified for a reward?

Please identify the vulnerabilities in the software and explain why you suspect they are detrimental to software use. Reports omitting this type of information are usually not qualified for a bounty. 

Can I request that my name not be listed on Synology’s Security Advisory page?

Yes. You can request not to be listed on our Security Advisory page. However, if you are qualified for a reward and wish to accept it, we will still need your contact information to process the payment.

Are vulnerabilities still eligible for a reward if they are reported to vulnerability brokers?

Privately disclosing a vulnerability to third parties for purposes other than bug fixing is contradictory to the spirit of our program. Therefore, such reports will not be qualified for a reward. 

Who is qualified for a bounty if the same bug is reported by more than one person?

The reward is granted to the first person who discovers a vulnerability that was previously unknown to us. 


We want to give a tip of our hat to security researchers and organizations that have helped us.

  • Aniket Bhutani (
  • Anurag Muley (
  • Howard Ching (
  • Janmejaya Swain (
  • Ahmad Firmansyah (
  • Agrah Jain (
  • Shivam Kamboj Dattana (
  • Pratik Vinod Yadav (
  • Akshaykumar Kokitkar (
  • Shesha Sai C (
  • Yash Agarwal (
  • Jan KOPEC(
  • Denis Burtanović
  • Hasibul Hasan Shawon -[Sec Miner's Bangladesh]
  • R Atik Islam (
  • Jose Israel Nadal Vidal (
  • Thomas Grünert (
  • Matteo Bussani (
  • Bing-Jhong Jheng (
  • Swapnil Patil (
  • Prakash Kumar Parthasarathy (
  • Kitab Ahmed (
  • Ahmad Firmansyah (
  • Tiziano Di Vincenzo (
  • Pratik Vinod Yadav (
  • Diwakar Kumar (
  • Rushi Gayakwad
  • Yash Ahmed Quashim (
  • Swapnil Kothawade (
  • Ankit Kumar (
  • Aman Rai (
  • Rushikesh Gaikwad (
  • Rupesh Tanaji Kokare (
  • Sumit Jain (
  • Qian Chen of Qihoo 360 Nirvan Team
  • Vishal Vachheta (
  • Zhong Zhaochen
  • Tomasz Grabowski
  • Nightwatch Cybersecurity Research (
  • Safwat Refaat (
  • Agent22 (
  • Hsiao-Yung Chen
  • Rich Mirch (
  • Ronak Nahar (
  • Noman Shaikh (
  • David Deller (
  • Mehedi Hasan (SecMiners BD) (
  • Touhid M Shaikh (
  • Abhishek Gaikwad
  • Kitabuddin Ahmed
  • Noman Shaikh (
  • Ajit Sharma (
  • Agung Saputra Ch Lages (
  • Dan Thomsen (
  • Erik de Jong (
  • Sphinx 1,2 (
  • Hasibul Hasan (SecMiner)
  • Mohammed Eldawody (
  • Chris Schneider
  • Abdullah Fares Muhanna (
  • Nick Blyumberg (
  • Axel Peters
  • Muhammad Junaid Abdullah (
  • Kyle Green
  • Thomas Fady (
  • Dankel Ahmed (
  • ShuangYY
  • HackTrack Security
  • Muhammed Ashmil K K (Kavuthukandiyil)
  • Muhammad Junaid Abdullah (
  • Kishan kumar (
  • Lays (
  • Ashish Kumar (
  • Lakshay Gupta (
  • Meng-Huan Yu (
  • Ifrah Iman (
  • Mohammed Israil (,
  • Taien Wang (
  • Emad Shanab (@Alra3ees) (
  • குகன் ராஜா (Havoc Guhan) (
  • Yasser Gersy (
  • Ismail Tasdelen (
  • Thomas Fady (
  • Oliver Kramer (
  • 1N3@CrowdShield (
  • louys, Xie Wei (解炜), Li Yanlong (李衍龙)
  • Zuo Chaoshun (
  • Ali Razzaq (
  • 丁諭祺(Yu-Chi Ding) from DEVCORE CHROOT
  • Alex Weber (
  • Alex Bastrakov (
  • Mehidia Tania (
  • freetsubasa (
  • Łukasz Rutkowski (
  • Maximilian Tews (
  • Bryan Galao (
  • Jim Zhou (
  • Chun Han Hsiao
  • Nightwatch Cybersecurity Research (
  • Olivier Bédard
  • Mohamed Eldawody (
  • Jose Hares (
  • 郑吉宏通过 GeekPwn 平台提交
  • Independent Security Evaluators (ISE) labs
  • Independent security researcher, MengHuan Yu, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
  • B.Dhiyaneshwaran (
  • Freiwillige Feuerwehr Rohrbach (
  • Uriya Yavnieli from VDOO (
  • Jung Chan Hyeok
  • Zhong Zhaochen (
  • Honc 章哲瑜 (
  • Sumit Jain
  • Ketankumar B. Godhani (
  • karthickumar (Ramanathapuram)
  • Alireza Azimzadeh Milani
  • Taien Wang (
  • Frédéric Crozat (
  • Muhammad Hassaan Khan (
  • SSD/Kacper Szurek
  • Alexander Drabek (
  • Kushal Arvind Shah of Fortinet’s FortiGuard Labs
  • Alvin Poon (
  • C.shahidyan, C.Akilan, K.Sai Aswanth
  • BambooFox (
  • Sajibe Kanti (
  • Huy Kha (
  • Pal Patel (
  • Pethuraj M (
  • Ali Ashber (
  • Muzammil Abbas Kayani (@muzammilabbas2 )
  • Tayyab Qadir (
  • Babar Khan Akhunzada (
  • Mahad Ahmed (
  • JD Duh (,
  • Mubassir Kamdar (
  • Daniel Díez Tainta (
  • Tushar Rawool (
  • Thrivikram Gujarathi (
  • Ashish Kunwar (twitter: @D0rkerDevil)
  • Steven Hampton (Twitter: @Keritzy,
  • Peter Bennink (
  • Thomas Fady (
  • Roopak Voleti (