submit bug report:http://www.synology.comSynology is dedicated to improve user privacy and information security. To optimize the environment we create for our users, we are running the Security Bug Bounty Program to reward researchers who identify potential vulnerabilities. Please read the following guidelines detailing this bounty program.
Services / products in scope
DSM
DSM 6.1 latest version
Packages: Active Backup for Server, Active Directory Server, Antivirus Essential, AudioStation, Calendar, CardDAVServer, Chat, CloudStation Server, Cloud Station ShareSync, Cloud Sync, CMS. Directory Server. DNS Server, Document Viewer, DownloadStation, File Station, GlacierBackup, Hyper Backup / Hyper Backup Vault, Log Center, Mailplus /Mailplus Server, Media Server, NoteStation, PDF Viewer, Peta Space, Proxy Server, RADIUSServer, Office / SpreadSheet, SSO Server, StorageAnalyzer, Surveillance Station, Universal Search, SynologyApplication Service, SMI-S Provider, Text Editor, USB Copy, Video Station, VPN Server, WebDAV Server, Web Station
SRM
SRM 1.1 latest version
Packages: VPN Plus
Synology cloud service
account.synology.com
c2.synology.com
Qualifying vulnerabilities
Server-side Remote Code Execution (RCE)
Stored Cross-site Scripting (XSS)
Cross-site Request Forgery
Server-Side Request Forgery (SSRF)
SQL Injection
XML External Entity Attacks (XXE)
Access Control Issues
Exposed Administrative Panels that doesn't require login credentials
Directory Traversal Issues
Local File Disclosure (LFD)
Non-qualifying vulnerabilities
Synology reserves the right to determine whether a reported issue is qualified for a reward. In certain cases, software bugs are not considered as security issues. Some of the exceptions are listed as follows:
Outdated services or products
XSS issues affecting only outdated browsers
Most brute force attack issues
Security bugs in software related to an acquisition for a period of 90 days following any public announcement
Reports stating that a software is out of date/vulnerable but without a proof of concept
Self-XSS that cannot be used to exploit other users (this includes having a user paste JavaScript into the browser console)
Reports derived from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated
Denial of Service Attacks
Reflected File Download (RFD)
Physical or social engineering attempts
Content injection issues
Missing autocomplete attributes
Missing cookie flags on non-security-sensitive cookies
Issues that require physical access to a victim’s computer
Missing security headers that do not present an immediate security vulnerability
Fraud issues
SSL/TLS scan reports (e.g., output from sites such as SSL Labs)
Banner grabbing issues (figuring out what web server we use, etc.)
Opened ports without providing proof-of-concept demonstrating vulnerability
Recently disclosed 0-day vulnerabilities
Bug investigation and reporting
Please contact us at bounty@synology.com if you have found a vulnerability, and use this PGP key encryption offered by Synology when sending bug reports to us. Synology Security Team will respond to your report within 3 days, and will soon release the vulnerability fix according to its severity. Your credit will be listed on our Security Advisory page after the reported vulnerability is confirmed to be eligible.
Any vulnerability testing must not violate any law. Please target only your own accounts and devices when investigating and testing a vulnerability, and never attempt to access accounts, devices, or data that are not your own. Any activity that is potentially detrimental to Synology or its users is strictly forbidden.
When reporting a vulnerability, please provide detailed PoC (Proof of Concept) and make sure that the reported issues can be reproduced. We encourage you to provide succinct information. For example, a short proof-of-concept link is valued higher than a video explaining the consequences of a SSRF issue. Please note the following during bug investigation and reporting:
Disclosing any bug information before our prior approval or posting anything that may negatively impact this program or Synology are strictly forbidden. In addition, you must never attempt to affect Synology’s official services or violate any applicable laws or regulations.
Please note that we only respond to technical vulnerability reports. For non-security bugs or queries, please contact Synology Support Center.
Confidentiality
Synology serves as the only recipient of bug reports. Therefore, bug information must not be disclosed to any third party, and must not be disclosed publicly without Synology’s prior consent. To ensure information security, please use this PGP key encryption offered by Synology when sending bug reports to us.
Any information you receive or collect about Synology, its affiliates or any of their users, employees or agents in connection with this Bug Bounty Program must be kept confidential and only used for the purpose of investigating and reporting vulnerabilities. Any confidential information must not be used, disclosed, or distributed without Synology’s prior written consent.
Researchers violating the aforementioned terms will be forfeited the right to receive any reward and will be immediately removed from this program.
Legal points
Synology Security Bug Bounty Program is not a competition but an experimental and discretionary rewards program. The Program, including its policies, is subject to change or cancellation by Synology at any time, without notice. In addition, the decision as to whether or not to pay a reward is entirely at Synology’s discretion.
Policy:
https://www.synology.com/en-global/support/bounty_programDomains
synology.com
