En/Ja
ContactWaitlist

Vulnerability Disclosure Policy

Effective Date: May 16, 2026

SynTopic Inc. (hereinafter, "the Company") welcomes reports from security researchers and members of the public who identify potential security vulnerabilities in our services. The Company recognizes that good-faith security research strengthens the protection of customer information and the integrity of the Company's services. This policy describes how to report a vulnerability, what is in scope, and the commitments the Company makes to good-faith reporters.

1. How to Report

Send vulnerability reports to security@syntopic.io. To allow the Company to triage and remediate quickly, reports should include:

  • A description of the vulnerability and its potential security impact
  • Steps to reproduce, including any required configuration, input, or account state
  • Affected URLs, endpoints, or components
  • The reporter's contact information, if a response is desired

PGP-encrypted submissions are accepted on request; contact the address above to receive the current public key.

Note: For non-security product feedback (UI issues, feature requests, or general bug reports that do not involve a security vulnerability), please use the in-product "Report a Bug" feature available within beta.syntopic.io. The intake described in this policy is dedicated to security vulnerabilities and is monitored only by personnel with a need to know.

2. Scope

This policy applies to the following Company-operated assets:

  • The marketing site (syntopic.io)
  • The beta application environment (beta.syntopic.io) and its API
  • Source code repositories under github.com/syntopic

The following are out of scope:

  • Third-party services the Company integrates with (please report directly to the provider)
  • Denial-of-service or volumetric attacks, including resource exhaustion
  • Findings derived solely from automated scanners without a reproducible impact
  • Social engineering of the Company's officers, employees, or contractors
  • Physical attacks against the Company's facilities
  • Reports that require physical access to a victim device

3. Response Commitment

On a best-effort basis the Company commits to the following timelines:

  • Initial acknowledgement: within 5 business days of receipt
  • Triage and severity assessment: within 10 business days
  • Status updates: at least every 30 days until the report is closed
  • Target remediation timeline by severity: Critical 30 days, High 30 days, Medium 60 days, Low 90 days, and Informational on an as-needed basis. These timelines mirror the Company's internal Operations Security Policy.

4. Severity Classification

The Company assesses severity using CVSS v3.1. Reporters may suggest a severity rating; the Company's assessment is the final reference for remediation planning.

5. Safe Harbor

The Company will not pursue or support legal action against a reporter who:

  • Makes a good-faith effort to comply with this policy
  • Avoids privacy violations, destruction of data, and interruption of services
  • Interacts with the Company's systems only through the methods described in this policy
  • Does not exploit a discovered vulnerability beyond what is required to demonstrate the issue
  • Does not publicly disclose the vulnerability before remediation, except as expressly agreed with the Company

This safe harbor does not extend to violations of applicable laws that the Company has no authority to waive.

6. Confidentiality

The Company will keep the reporter's identity confidential unless the reporter agrees to disclosure. Vulnerability details will not be shared externally before remediation, except with vendors or service providers strictly necessary to fix the issue, who are themselves bound by confidentiality obligations.

7. Recognition

The Company does not currently operate a monetary bounty program. Reporters who submit valid vulnerabilities may, with their consent, be credited on a public acknowledgements page maintained by the Company.

8. Beta Phase Notice

The Company is currently in beta. The reporting workflow described in this policy is operated by the Company's personnel using email and internal tooling. The Company reserves the right to migrate this workflow to a third-party vulnerability disclosure platform in the future; any such migration will preserve the commitments stated in this policy.

SynTopic Inc. Shoichi Seto, Representative Director