Security Bug Bounty Program

As threats evolve and increase in both frequency and sophistication, Synology is working with security researchers to maintain and further bolster our protections.

Synology’s Security Bug Bounty Program grants recognition and monetary rewards to researchers who identify potential vulnerabilities and cooperate with us in to ensure the safety of our customers.

Product Scope

This program only accepts vulnerability reports related to Synology’s products and web services. Vulnerability reports that fall outside of the program’s scope do not generally qualify for rewards; however, out-of-scope reports of critical vulnerabilities may be accepted depending on the situation.

Operating systems

Rewards of up to US$20,000

Includes Synology DiskStation Manager and Synology Router Manager.

Software and C2 cloud services

Rewards of up to US$10,000

Includes Synology-developed software packages, related mobile apps, and C2 cloud services.

Web services

Rewards of up to US$5,000

Includes all major Synology web services.

Operating systems

Reward	Qualified reports are eligible for a reward of up to US$20,000.
Products within scope	Only reports about officially released versions are accepted. DiskStation Manager (DSM) DSM 6 (latest version), DSM 7 (latest version) Packages installed by default Synology Router Manager (SRM) SRM 1.3 (latest version) Packages installed by default
Regulations and restrictions	This program is strictly limited to security vulnerabilities found in Synology products and services. Actions that could potentially damage or detrimentally affect Synology servers or data are strictly forbidden. Vulnerability testing must not breach local or Taiwanese laws. Vulnerability reports are not accepted under the program if they describe or involve: DoS (Denial of Service) attacks on Synology’s or users' servers Vulnerability testing that is detrimental to Synology’s or users’ servers or data Physical attacks or social engineering Disclosure of bug information before approval by Synology Non-critical vulnerabilities in outdated services or products Vulnerabilities affecting only outdated web browsers Most types of brute-force attack Reflected XSS attacks Vulnerabilities that involve phishing, creation of fake websites, or committing fraud Vulnerability scanning reports that do not detail the vulnerability’s effects Indications that default ports are vulnerable, but without providing a PoC

Reward

Qualified reports are eligible for a reward of up to US$20,000.

Products within scope

Only reports about officially released versions are accepted.

DiskStation Manager (DSM)

DSM 6 (latest version), DSM 7 (latest version)
Packages installed by default

Synology Router Manager (SRM)

SRM 1.3 (latest version)
Packages installed by default

Regulations and restrictions

This program is strictly limited to security vulnerabilities found in Synology products and services. Actions that could potentially damage or detrimentally affect Synology servers or data are strictly forbidden. Vulnerability testing must not breach local or Taiwanese laws.

Vulnerability reports are not accepted under the program if they describe or involve:

DoS (Denial of Service) attacks on Synology’s or users' servers
Vulnerability testing that is detrimental to Synology’s or users’ servers or data
Physical attacks or social engineering
Disclosure of bug information before approval by Synology
Non-critical vulnerabilities in outdated services or products
Vulnerabilities affecting only outdated web browsers
Most types of brute-force attack
Reflected XSS attacks
Vulnerabilities that involve phishing, creation of fake websites, or committing fraud
Vulnerability scanning reports that do not detail the vulnerability’s effects
Indications that default ports are vulnerable, but without providing a PoC

Software and C2 cloud services

Reward	Qualified reports are eligible for a reward of up to US$10,000.
Products within scope	Only reports about officially released versions are accepted. Packages Synology-developed software packages Desktop clients Synology-developed Windows, macOS, and Linux applications Mobile apps Synology-developed mobile apps for Android and iOS Synology Account .account.synology.com domains .identity.synology.com domains C2 services *.c2.synology.com domains
Regulations and restrictions	This program is strictly limited to security vulnerabilities found in Synology products and services. Actions that could potentially damage or detrimentally affect Synology servers or data are strictly forbidden. Vulnerability testing must not breach local or Taiwanese laws. Vulnerability reports are not accepted under the program if they describe or involve: DoS (Denial of Service) attacks on Synology’s or users' servers Vulnerability testing that is detrimental to Synology’s or users’ servers or data Physical attacks or social engineering Disclosure of bug information before approval by Synology Non-critical vulnerabilities in outdated services or products Vulnerabilities affecting only outdated web browsers Most types of brute-force attack Reflected XSS attacks Vulnerabilities that involve phishing, creation of fake websites, or committing fraud Vulnerability scanning reports that do not detail the vulnerability’s effects Indications that default ports are vulnerable, but without providing a PoC

Reward

Qualified reports are eligible for a reward of up to US$10,000.

Products within scope

Only reports about officially released versions are accepted.

Packages

Synology-developed software packages

Desktop clients

Synology-developed Windows, macOS, and Linux applications

Mobile apps

Synology-developed mobile apps for Android and iOS

Synology Account

*.account.synology.com domains
*.identity.synology.com domains

C2 services

*.c2.synology.com domains

Regulations and restrictions

Vulnerability reports are not accepted under the program if they describe or involve:

DoS (Denial of Service) attacks on Synology’s or users' servers
Vulnerability testing that is detrimental to Synology’s or users’ servers or data
Physical attacks or social engineering
Disclosure of bug information before approval by Synology
Non-critical vulnerabilities in outdated services or products
Vulnerabilities affecting only outdated web browsers
Most types of brute-force attack
Reflected XSS attacks
Vulnerabilities that involve phishing, creation of fake websites, or committing fraud
Vulnerability scanning reports that do not detail the vulnerability’s effects
Indications that default ports are vulnerable, but without providing a PoC

Web services

Reward	Qualified reports are eligible for a reward of up to US$5,000.
Products within scope	The following domains (including sub-domains) are in scope: *.synology.com The following domains (including sub-domains) are out of scope: openstack-ci-logs.synology.com, router.synology.com, order.synology.com Synology reserves the right to modify this list at any time without notice.
Regulations and restrictions	This program is strictly limited to security vulnerabilities found in Synology products and services. Actions that could potentially damage or detrimentally affect Synology servers or data are strictly forbidden. Vulnerability testing must not breach local or Taiwanese laws. Vulnerability reports are not accepted under the program if they describe or involve: DoS (Denial of Service) attacks on Synology’s or users' servers Vulnerability testing that is detrimental to Synology’s or users’ servers or data Physical attacks or social engineering Disclosure of bug information before approval by Synology Non-critical vulnerabilities in outdated services or products Vulnerabilities affecting only outdated web browsers Most types of brute-force attack Reflected XSS attacks Vulnerabilities that involve phishing, creation of fake websites, or committing fraud Vulnerability scanning reports that do not detail the vulnerability’s effects Indications that default ports are vulnerable, but without providing a PoC

Reward

Qualified reports are eligible for a reward of up to US$5,000.

Products within scope

The following domains (including sub-domains) are in scope:

*.synology.com

The following domains (including sub-domains) are out of scope:

openstack-ci-logs.synology.com, router.synology.com, order.synology.com

Synology reserves the right to modify this list at any time without notice.

Regulations and restrictions

Vulnerability reports are not accepted under the program if they describe or involve:

DoS (Denial of Service) attacks on Synology’s or users' servers
Vulnerability testing that is detrimental to Synology’s or users’ servers or data
Physical attacks or social engineering
Disclosure of bug information before approval by Synology
Non-critical vulnerabilities in outdated services or products
Vulnerabilities affecting only outdated web browsers
Most types of brute-force attack
Reflected XSS attacks
Vulnerabilities that involve phishing, creation of fake websites, or committing fraud
Vulnerability scanning reports that do not detail the vulnerability’s effects
Indications that default ports are vulnerable, but without providing a PoC

Reward eligibility criteria

Please provide any information we need to reproduce the reported issues. The size of each reward depends on the severity of the reported vulnerability and which product category is affected.

To qualify for monetary rewards, reports must meet the following criteria:

You are the first researcher to report this vulnerability
The reported vulnerability is confirmed to be verifiable, replicable, and a valid security issue
Your report complies with the Bounty Program’s terms and regulations

Reporting security bugs

If you believe you have found a vulnerability, please follow the steps below:

Step 1

Step 2

Use this PGP key to encrypt your information when sending bug reports to Synology.

Step 3

Include a detailed proof of concept (PoC) and make sure that the reported issues can be reproduced.

Step 4

Keep your description succinct. For example, a short proof-of-concept link is valued higher than a video explaining the consequences of an SSRF issue.

Your and our responsibilities

Your report

To reduce our processing time, a good vulnerability report should:

Contain a clearly written step-by-step description in English of how to reproduce the vulnerability
Demonstrate how the vulnerability affects Synology products or web services, and describe which versions and platforms are affected
State the potential damage caused by the reported vulnerability

Our response

The Synology Security Team will respond to your report within 7 days and regular update the status and fix the vulnerability as soon as possible, depending on the severity of the threat posed.

If your vulnerability report qualifies for a monetary reward, your name will be listed on the Synology Product Security Advisory page on our official website as a gesture of our appreciation.

This process will take at least 90 days. Your reward will be transferred to you upon completion of the process.

Notes:

Synology reserves the right to change or cancel this program, including its policies, at any time without prior notice.

FAQs

How should I report a vulnerability?

Who is responsible for determining whether my bug report is eligible for a reward?

What is the consequence if a bug is publicly disclosed before being fixed?

Are vulnerabilities found in outdated software such as Apache or Nginx qualified for a reward?

Can I request that my name not be listed on Synology’s Security Advisory page?

Are vulnerabilities still eligible for a reward if they are reported to vulnerability brokers?

Who is qualified for a bounty if the same bug is reported by more than one person?

Acknowledgement

We want to give a tip of our hat to security researchers and organizations that have helped us.

Endure Secure (https://endsec.au)
Stephen Argent (https://www.runby.coffee/)
Qian Chen (@cq674350529) from Codesafe Team of Legendsec at QI-ANXIN Group

Kevin Wang (https://twitter.com/kevingwn_ )
Shubham Kushwaha/ meenakshi Maurya (https://github.com/anabelle666)
Safwat Refaat (@Caesar302)
Jeffrey Baker (www.Biznet.net)
Monisha N (https://www.linkedin.com/in/monisha-nagaraj-321524218/)
Ravi (https://twitter.com/itsrvsinghh)
remonsec (https://twitter.com/remonsec)
TheLabda (https://thelabda.com)
Grant Kellie (https://www.linkedin.com/in/grant-kellie-54a23b238/)
pulla karthik srivastav (https://www.linkedin.com/in/karthik-srivastav-680359192)
Muhammad Tanvir Ahmed https://www.facebook.com/tohidulislam.tanvir.948
Eugene Lim, Government Technology Agency of Singapore (https://spaceraccoon.dev)
Laurent Sibilla (https://www.linkedin.com/in/lsibilla/)
Thomas Werschlein (https://www.linkedin.com/in/thomas-werschlein-2293384b)
Sivanesh kumar (https://twitter.com/sivanesh_hacker)
Davis Chang. (https://www.linkedin.com/in/hong-tsun-davis-chang/)
@aoxsin (https://twitter.com/aoxsin)
Chanyoung So (https://www.linkedin.com/in/chanyoung-so-62551b115/)
Hasibul Hasan Shawon (@Saiyan0x01)
Jose Hares (https://es.linkedin.com/in/jose-hares-arrieta-b419233b)
Zain Iqbal (https://www.linkedin.com/in/zain-iqbal-971b76254/)
Lukas Kupczyk, CrowdStrike Intelligence
Tomasz Szczechura (https://www.linkedin.com/in/tomasz-szczechura-5189098b/)

Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi'anxin Group
Patrik Fabian (https://websafe.hu)
Eugene Lim, Government Technology Agency of Singapore (https://spaceraccoon.dev)
Jeenika Anadani (https://twitter.com/j33n1k4)
waterpeitw (https://zeroday.hitcon.org/user/waterpeitw)
Milan katwal (https://www.milankatwal.com.np/)
N S R de Rooy (https://www.linkedin.com/in/norbert-de-rooy-9b24527/)
Christian Tucci (https://www.linkedin.com/in/christian-tucci/)
Ravindra Dagale (https://www.linkedin.com/in/ravindra-dagale-5b0913151/)
Sanket Anil Ambalkar (https://www.linkedin.com/in/sanket-ambalkar-70211518b/)
Chirag Agrawal (https://www.linkedin.com/in/chirag-agrawal-770488144/)
Yimi Hu@baidu.com
Raman R Mohurle (https://twitter.com/Raman_Mohurle)
cmj (http://blog.cmj.tw/)
Parth Manek
Patrick Williams (https://www.linkedin.com/in/patrick-williams-6992b4104/)
Amaranath Moger (https://www.linkedin.com/in/amaranath-moger/)
Dennis Herrmann (Code White GmbH)
Siddharth Parashar (https://www.linkedin.com/in/siddharth-parashar-b2a21b1b5/)
Sahil Soni (https://twitter.com/sahil__soni_18?s=08)
Hasibul Hasan Shawon -[Sec Miner's Bangladesh]
Devender Rao (https://www.linkedin.com/in/devender-rao)
RAJIB BAR (https://www.linkedin.com/in/rajib-bar-rjb-b3683314b)
Atharv Shejwal (https://kongsec.io)
Xavier DANEST (https://sustainability.decathlon.com/)
Aditya Shende (http://kongsec.io)
Andreas Rothenbacher (https://error401.de)
Rachit Verma @b43kd00r (https://www.linkedin.com/in/b43kd00r/)
Suraj SK (https://www.linkedin.com/in/suraj-sk/)
Simon Effenberg (https://www.linkedin.com/in/simon-effenberg)
Niraj Mahajan (https://www.linkedin.com/in/niraj1mahajan)
Ayush Pandey (https://www.linkedin.com/in/ayush-pandey-148797175)
Sivanesh kumar D (https://twitter.com/sivanesh_hacker?s=09)
Touhid Shaikh (https://securityium.com/)
N Krishna Chaitanya (https://www.linkedin.com/in/n-krishna-chaitanya-27926aba/)
Ayush Mangal (https://www.linkedin.com/in/ayush-mangal-48a168110)
Tameem Khalid (https://www.linkedin.com/in/tameem-khalid-641a4b192/)
ddaa of TrapaSecurity (https://twitter.com/0xddaa)
Praveen Kumar
Oscar Spierings (https://polyform.dev)
Chanyoung So (https://www.linkedin.com/in/chanyoung-so-62551b115/)
swings of Chaitin Security Research Lab
Hasibul Hasan Rifat (https://twitter.com/rifatsec)
Lanni
Yeshwanth (https://www.linkedin.com/in/yeshwanth-b-4a560b202)
Darshan Sunil jogi (https://www.linkedin.com/in/darshan-jogi-9450431b6/)

Chanyoung So (https://www.linkedin.com/in/chanyoung-so-62551b115/)
Lanni
Swapnil Patil (https://www.linkedin.com/in/swapnil-patil-874223195)
Vladislav Akimenko (Digital Security) (https://dsec.ru)
Muhammad Junaid Abdullah (https://twitter.com/an0n_j)
Claudio Bozzato of Cisco Talos (https://talosintelligence.com/vulnerability_reports/)
Jose Hares (https://es.linkedin.com/in/jose-hares-arrieta-b419233b)
Aditya Soni (https://www.linkedin.com/in/adtyasoni)
Mansoor Amjad (https://twitter.com/TheOutcastCoder)
Thomas Fady (https://www.linkedin.com/in/thomas-fady)
James Smith (Bridewell Consulting) (https://bridewellconsulting.com)
Kinshuk Kumar (https://www.linkedin.com/in/kinshuk-kumar-4833551a1/)
Amit Kumar (https://www.linkedin.com/in/amit-kumar-9853731a4)
Mehedi Hasan Remon (twitter.com/remonsec)
Joshua Olson (www.linkedin.com/in/joshua-olson-cysa)
Vaibhav Rajeshwar Atkale(https://twitter.com/atkale_vaibhav)
Mohammed Eldawody (www.fb.com/eldawody0)
YoKo Kho (https://twitter.com/YoKoAcc)
Satyajit Das (https://www.linkedin.com/in/mrsatyajitdas)
Tinu Tomy (https://twitter.com/tinurock007)
Aniket Bhutani (https://www.linkedin.com/in/aniket-bhutani-6ba979192/)
Anurag Muley (https://www.linkedin.com/in/ianuragmuley/)
Howard Ching (https://www.linkedin.com/in/howard-ching-rhul/)
Janmejaya Swain (https://www.linkedin.com/in/janmejayaswainofficial)
Ahmad Firmansyah (https://twitter.com/AhmdddFsyaaah)
Agrah Jain (www.linkedin.com/in/agrahjain)
Shivam Kamboj Dattana (https://www.linkedin.com/in/sechunt3r/)
Pratik Vinod Yadav (https://twitter.com/PratikY9967)
Akshaykumar Kokitkar (https://mobile.twitter.com/cyber_agent2)
Shesha Sai C (https://www.linkedin.com/in/shesha-sai-c-18585b125)
Yash Agarwal (https://www.linkedin.com/in/yash-agarwal-17464715b)
Jan KOPEC(https://twitter.com/blogresponder)
Denis Burtanović
Hasibul Hasan Shawon -[Sec Miner's Bangladesh]

R Atik Islam (https://www.facebook.com/atik.islam.14661)
Jose Israel Nadal Vidal (https://twitter.com/perito_inf)
Thomas Grünert (https://de.linkedin.com/in/thomas-gr%C3%BCnert-250905168)
Matteo Bussani (https://www.linkedin.com/in/matteo-bussani-77b595198/)
Bing-Jhong Jheng (https://github.com/st424204/ctf_practice)
Swapnil Patil (https://www.linkedin.com/in/swapnil-patil-874223195)
Prakash Kumar Parthasarathy (https://www.linkedin.com/in/prakashofficial)
Kitab Ahmed (www.ahmed.science)
Ahmad Firmansyah (https://twitter.com/AhmdddFsyaaah)
Tiziano Di Vincenzo (https://www.linkedin.com/in/tiziano-d-3324a345/)
Pratik Vinod Yadav (https://www.linkedin.com/in/pratik-yadav-117463149)
Diwakar Kumar (https://www.linkedin.com/in/diwakar-kumar-5b3843114/)
Rushi Gayakwad
Yash Ahmed Quashim (https://www.facebook.com/abir.beingviper)
Swapnil Kothawade (https://twitter.com/Swapnil_Kotha?s=09)
Ankit Kumar (https://www.linkedin.com/in/ankit-kumar-42a644166/)
Aman Rai (https://www.linkedin.com/in/aman-rai-737a19146)
Rushikesh Gaikwad (https://www.linkedin.com/in/rushikesh-gaikwad-407163171)
Rupesh Tanaji Kokare (https://www.linkedin.com/in/rupesh-kokare-b63a78145/)
Sumit Jain (https://twitter.com/sumit_cfe)
Qian Chen of Qihoo 360 Nirvan Team
Vishal Vachheta (https://www.linkedin.com/in/vishal-vachheta-a30863122)
Zhong Zhaochen
Tomasz Grabowski
Nightwatch Cybersecurity Research (https://wwws.nightwatchcybersecurity.com)
Safwat Refaat (https://twitter.com/Caesar302)
Agent22 (https://securelayer7.net/)
Hsiao-Yung Chen
Rich Mirch (https://blog.mirch.io)
Ronak Nahar (https://www.linkedin.com/in/naharronak/)
Noman Shaikh (https://twitter.com/nomanAli181)
David Deller (https://horizon-nigh.org)
Mehedi Hasan (SecMiners BD) (https://www.facebook.com/polapan.1337)
Touhid M Shaikh (https://touhidshaikh.com)
Abhishek Gaikwad
Kitabuddin Ahmed
Noman Shaikh (https://twitter.com/nomanAli181)
Ajit Sharma (https://www.linkedin.com/in/ajit-sharma-90483655)
Agung Saputra Ch Lages (https://twitter.com/lagesgeges)
Dan Thomsen (www.thomsen.fo)
Erik de Jong (https://eriknl.github.io)
Sphinx 1,2 (https://www.facebook.com/Sphinx01.10/)
AHMED ELSADAT (https://www.linkedin.com/in/ahmed-elsadat-138755133/)
Hasibul Hasan (SecMiner)
Mohammed Eldawody (www.fb.com/eldawody0)
Chris Schneider
Abdullah Fares Muhanna (https://www.facebook.com/AbedullahFares)
Nick Blyumberg (https://www.linkedin.com/in/nickblyumberg/)
Axel Peters
Muhammad Junaid Abdullah (https://twitter.com/an0n_j)
Kyle Green
Thomas Fady (https://www.linkedin.com/in/thomas-fady)
Dankel Ahmed (https://hackerone.com/kitab)
ShuangYY
HackTrack Security
Muhammed Ashmil K K (Kavuthukandiyil)

Muhammad Junaid Abdullah (https://twitter.com/snoviboy)
Kishan kumar (https://facebook.com/noobieboy007)
Lays (http://l4ys.tw)
Ashish Kumar (https://www.facebook.com/buggyashish)
Lakshay Gupta (http://linkedin.com/in/lakshay-gupta-44102a143)
Meng-Huan Yu (https://www.linkedin.com/in/cebrusfs/)
Ifrah Iman (http://www.ifrahiman.com)
Mohammed Israil (https://www.facebook.com/VillageLad, https://www.linkedin.com/in/mohammed-israil-221656128)
Taien Wang (https://www.linkedin.com/in/taienwang/)
Emad Shanab (@Alra3ees) (https://twitter.com/Alra3ees?s=09)
குகன் ராஜா (Havoc Guhan) (https://fb.com/havocgwen)
Yasser Gersy (https://twitter.com/yassergersy)
Ismail Tasdelen (https://www.linkedin.com/in/ismailtasdelen)
Thomas Fady (https://www.linkedin.com/in/thomas-fady)
Oliver Kramer (https://www.linkedin.com/in/oliver-kramer-670206b5)
1N3@CrowdShield (https://crowdshield.com)
louys, Xie Wei (解炜), Li Yanlong (李衍龙)
Zuo Chaoshun (https://www.linkedin.com/in/chaoshun-zuo-5b9559111/)
Ali Razzaq (https://twitter.com/AliRazzaq_)
丁諭祺(Yu-Chi Ding) from DEVCORE CHROOT
Alex Weber (www.broot.ca)
Alex Bastrakov (https://twitter.com/kazan71p)
Mehidia Tania (https://www.beetles.io)
freetsubasa (https://twitter.com/freetsubasa)
Łukasz Rutkowski (http://www.forit.pl/)
Maximilian Tews (www.linkedin.com/in/maximilian-tews)
Bryan Galao (https://www.facebook.com/xbryan.galao)
Jim Zhou (vip-cloud.cn)
Chun Han Hsiao
Nightwatch Cybersecurity Research (https://wwws.nightwatchcybersecurity.com)
Olivier Bédard
Mohamed Eldawody (https://www.facebook.com/Eldawody0)
Jose Hares (https://es.linkedin.com/in/jose-hares-arrieta-b419233b)
郑吉宏通过 GeekPwn 平台提交
Independent Security Evaluators (ISE) labs
Independent security researcher, MengHuan Yu, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
B.Dhiyaneshwaran (https://www.linkedin.com/in/dhiyaneshwaran-b-27947a131/)
Freiwillige Feuerwehr Rohrbach (www.ff-rohrbach.de)
Uriya Yavnieli from VDOO (https://vdoo.com)
Jung Chan Hyeok
Zhong Zhaochen (http://asnine.com)

Honc 章哲瑜 (https://www.facebook.com/you.toshoot)
Sumit Jain
Ketankumar B. Godhani (https://twitter.com/KBGodhani)
karthickumar (Ramanathapuram)
Alireza Azimzadeh Milani
Taien Wang (https://www.facebook.com/taien.tw)
Frédéric Crozat (http://blog.crozat.net/)
Muhammad Hassaan Khan (https://www.facebook.com/Profile.Hassaan)
SSD/Kacper Szurek
Alexander Drabek (https://www.2-sec.com/)
RAVELA PRAMOD KUMAR (https://mobile.twitter.com/PramodRavela)
Kushal Arvind Shah of Fortinet’s FortiGuard Labs
Alvin Poon (https://alvinpoon.myportfolio.com/)
C.shahidyan, C.Akilan, K.Sai Aswanth
BambooFox (https://bamboofox.github.io/)
Sajibe Kanti (https://twitter.com/sajibekantibd)
Huy Kha (linkedin.com/in/huykha)
Pal Patel (https://www.linkedin.com/in/pal434/)
Pethuraj M (https://www.linkedin.com/in/pethu/)
Ali Ashber (https://www.facebook.com/aliashber7)
Muzammil Abbas Kayani (@muzammilabbas2 )
Tayyab Qadir (facebook.com/tqMr.EditOr)
Babar Khan Akhunzada (www.SecurityWall.co)
Mahad Ahmed (https://octadev.com.pk)
JD Duh (blog.johndoe.tw, www.linkedin.com/in/JD-Duh)
Mubassir Kamdar (http://www.mubassirkamdar.com)
Daniel Díez Tainta (https://twitter.com/danilabs)
Tushar Rawool (twitter.com/tkrawool)
Thrivikram Gujarathi (https://www.linkedin.com/in/thrivikram-gujarathi-certified-ethical-hacker-bug-bounty-hunter-53074796)
Ashish Kunwar (twitter: @D0rkerDevil)
Steven Hampton (Twitter: @Keritzy, https://stevenh.neocities.org/)
Peter Bennink (https://www.linkedin.com/in/peter-bennink/)
Thomas Fady (https://www.linkedin.com/in/thomas-fady/)
Roopak Voleti (https://m.facebook.com/sairoopak.voleti)