We take security seriously. If you believe you have discovered a vulnerability in any Synelo Studio service — the marketing site, the prospect portal, the audit pipeline, the admin surface, or any client deliverable we run — please tell us before disclosing it publicly.
How to report
- Email: security@synelostudio.com
- Languages: English, Ukrainian, Czech
- Machine-readable policy (RFC 9116): /.well-known/security.txt
Our response
- Acknowledgement: within 72 hours of your first message.
- Triage: within 7 days, with a target fix-or-mitigation date.
- Resolution: we aim to resolve confirmed issues within 30 days. Critical issues are prioritised same-day.
- Credit: we're happy to credit you on this page (or stay quiet, your call).
Scope
synelostudio.comand all subdomains we operate- The prospect portal (
/p/[slug]) - The audit pipeline (
/scan,/audit/[id]) - The admin surface (auth, prospect store, scheduled emails)
- Any deliverable we deployed under a Synelo SOW
Out of scope
- Denial-of-service tests against production endpoints
- Social engineering of Synelo staff or clients
- Findings that require root or physical access to the host
- Reports generated by automated scanners without proof of exploitability
- Best-practice deviations with no demonstrated impact (e.g. missing security headers on static-asset hosts)
Safe-harbour
We will not pursue legal action against good-faith security research conducted in line with this policy. Please:
- Test only against accounts and data you own or have explicit permission to use.
- Do not exfiltrate or retain personal data beyond what is needed to demonstrate the vulnerability.
- Do not publicly disclose before we have had a reasonable chance to fix.
Out-of-band contact
If security@synelostudio.com is unreachable, you can use the general contact: hello@synelostudio.com with subject prefix [SECURITY]. We will route it to the right person within the same SLA.