Vulnerability Management Policy

At SyncRivo, security is our top priority. We are committed to ensuring the safety of our customers' data and the reliability of our services.

We understand that security vulnerabilities may exist in any software system. This Vulnerability Management Policy outlines our approach to identifying, prioritizing, and remediating security vulnerabilities, as well as our process for receiving reports from the security community.

This policy applies to all systems, software, and services owned and operated by SyncRivo, including but not limited to:

• The SyncRivo web application (syncrivo.ai)

• Our messaging integration bots (Slack, Teams, Google Chat)

• Our API endpoints and backend infrastructure

• Internal systems and third-party integrations under our control

If you believe you have found a security vulnerability in one of our products or services, we encourage you to let us know right away. We appreciate your help in disclosing the issue to us responsibly.

Please send your report to security@syncrivo.ai. In your report, please include:

• A description of the vulnerability and its potential impact

• Steps to reproduce the issue (proof of concept)

• Any relevant screenshots or logs

• Your contact information for follow-up

SyncRivo supports safe harbor for security researchers. If you conduct your research and reporting in accordance with this policy, we will:

• Consider your research to be authorized

• Not pursue or support any legal action against you related to your research

• Work with you to understand and resolve the issue quickly

• Recognize your contribution (if you wish) once the issue is resolved

Once a vulnerability is reported, our security team follows this process:

1. Triage & Verification: We will acknowledge receipt of your report within 48 hours and verify the validity of the vulnerability.

2. Prioritization: We classify the severity of the issue based on its potential impact (Critical, High, Medium, Low).

3. Remediation: We develop and test a fix. Critical issues are prioritized for immediate resolution.

4. Deployment: The fix is deployed to our production environment.

5. Disclosure: After the fix is verified, we may publish a security advisory or notify affected users if necessary.

The following activities are strictly prohibited:

• Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks

• Physical attacks against our offices or data centers

• Social engineering (phishing, vishing) of our employees or customers

• Automated scanning tools that generate significant traffic

• Accessing or modifying data that does not belong to you

We aim to adhere to the following response timelines:

• Initial Response: Within 48 hours

• Triage & Severity Assessment: Within 5 business days

• Status Updates: Every 5 business days (or as agreed upon)

• Remediation Target: Critical (7 days), High (30 days), Medium (90 days)