Security Bug Bounty Program
As threats evolve and increase in both frequency and sophistication, Synology is working with security researchers to maintain and further bolster our protections.
Product scopeThis program only accepts vulnerability reports related to Synology’s products and web services. Vulnerability reports that fall outside of the program’s scope do not generally qualify for rewards; however, out-of-scope reports of critical vulnerabilities may be accepted depending on the situation.

Operating systems

Rewards of up to

US $30,000

Includes Synology DiskStation Manager, Synology Router Manager, and Synology BeeStation.

Learn more

Software and C2 cloud services

Rewards of up to

US $10,000

Includes Synology-developed software packages, related mobile apps, and C2 cloud services.

Learn more

Web services

Rewards of up to

US $5,000

Includes all major Synology web services.

Learn more
Reward Details
Reward eligibility criteria
Please provide any information we need to reproduce the reported issues. The size of each reward depends on the severity of the reported vulnerability and which product category is affected.To qualify for monetary rewards, reports must meet the following criteria:
  1. You are the first researcher to report this vulnerability
  2. The reported vulnerability is confirmed to be verifiable, replicable, and a valid security issue
  3. Your report complies with the Bounty Program’s terms and regulations
Reporting security bugsIf you believe you have found a vulnerability, please follow the steps below:
Step 1

Contact us using the Bounty Program contact form.

Step 2

Use this PGP key to encrypt your information when sending bug reports to Synology.

Step 3

Include a detailed proof of concept (PoC) and make sure that the reported issues can be reproduced.

Step 4

Keep your description succinct. For example, a short proof-of-concept link is valued higher than a video explaining the consequences of an SSRF issue.

Your and our responsibilitiesYour reportTo reduce our processing time, a good vulnerability report should:
  1. Contain a clearly written step-by-step description in English of how to reproduce the vulnerability
  2. Demonstrate how the vulnerability affects Synology products or web services, and describe which versions and platforms are affected
  3. State the potential damage caused by the reported vulnerability
Our response
The Synology Security Team will respond to your report within 7 days and regular update the status and fix the vulnerability as soon as possible, depending on the severity of the threat posed.If your vulnerability report qualifies for a monetary reward, your name will be listed on the Synology Product Security Advisory page on our official website as a gesture of our appreciation.This process will take at least 90 days. Your reward will be transferred to you upon completion of the process.
Notes:Synology reserves the right to change or cancel this program, including its policies, at any time without prior notice.
Operating systems
Reward

Qualified reports are eligible for a reward of up to US$30,000.*

Products within scope

Only reports about officially released versions are accepted.

DiskStation Manager (DSM)

  • DSM 7 (latest version)

Synology Router Manager (SRM)**

  • SRM 1.3 (latest version)

Synology Camera firmware***

  • Firmware 1.1 (latest version)

Synology BeeStation

  • BeeStation OS 1.0 (latest version)
Regulations and restrictions

This program is strictly limited to security vulnerabilities found in Synology products and services. Actions that could potentially damage or detrimentally affect Synology servers or data are strictly forbidden. Vulnerability testing must not breach local or Taiwanese laws.

Vulnerability reports are not accepted under the program if they describe or involve:

  1. DoS (Denial of Service) attacks on Synology’s or users' servers
  2. Vulnerability testing that is detrimental to Synology’s or users’ servers or data
  3. Physical attacks or social engineering
  4. Disclosure of bug information before approval by Synology
  5. Non-critical vulnerabilities in outdated services or products
  6. Vulnerabilities affecting only outdated web browsers
  7. Most types of brute-force attack
  8. Reflected XSS attacks or Self XSS attacks
  9. Vulnerabilities that involve phishing, creation of fake websites, or committing fraud
  10. Vulnerability scanning reports that do not detail the vulnerability’s effects
  11. Indications that default ports are vulnerable, but without providing a PoC
  12. Theoretical vulnerabilities lacking concrete Proof of Concept (PoC)
  13. Open redirects alone are typically considered informational and do not qualify for rewards unless they contribute to a more significant vulnerability
  14. Missing security headers that do not directly lead to exploitation
  15. Missing security flags in cookies
  16. User enumeration. Reports outlining user enumeration are not within scope unless you can demonstrate that we don’t have any rate limits in place to protect our users.

*See the Reward Details page on the Security Bug Program web page for more details.
**The maximum reward for vulnerabilities in SRM_LAN is $5,000.
***The maximum reward for vulnerabilities in camera firmware is $10,000.

Software and C2 cloud services
Reward

Qualified reports are eligible for a reward of up to US$10,000.*

Products within scope

Only reports about officially released versions are accepted.

Packages

Synology-developed software packages

Desktop clients

Synology-developed Windows, macOS, and Linux applications

Mobile apps

Synology-developed mobile apps for Android and iOS

Synology Account

  • *.account.synology.com domains
  • *.identity.synology.com domains

C2 services

*.c2.synology.com domains

Regulations and restrictions

This program is strictly limited to security vulnerabilities found in Synology products and services. Actions that could potentially damage or detrimentally affect Synology servers or data are strictly forbidden. Vulnerability testing must not breach local or Taiwanese laws.

Vulnerability reports are not accepted under the program if they describe or involve:

  1. DoS (Denial of Service) attacks on Synology’s or users' servers
  2. Vulnerability testing that is detrimental to Synology’s or users’ servers or data
  3. Physical attacks or social engineering
  4. Disclosure of bug information before approval by Synology
  5. Non-critical vulnerabilities in outdated services or products
  6. Vulnerabilities affecting only outdated web browsers
  7. Most types of brute-force attack
  8. Reflected XSS attacks or Self XSS attacks
  9. Vulnerabilities that involve phishing, creation of fake websites, or committing fraud
  10. Vulnerability scanning reports that do not detail the vulnerability’s effects
  11. Indications that default ports are vulnerable, but without providing a PoC
  12. Theoretical vulnerabilities lacking concrete Proof of Concept (PoC)
  13. Open redirects alone are typically considered informational and do not qualify for rewards unless they contribute to a more significant vulnerability
  14. Missing security headers that do not directly lead to exploitation
  15. Missing security flags in cookies
  16. User enumeration. Reports outlining user enumeration are not within scope unless you can demonstrate that we don’t have any rate limits in place to protect our users.

*See the Reward Details page on the Security Bug Program web page for more details.

Web services
Reward

Qualified reports are eligible for a reward of up to US$5,000.*

Products within scope

The following domains (including sub-domains) are in scope:

*.synology.com

The following domains (including sub-domains) are out of scope:

openstack-ci-logs.synology.com, router.synology.com, order.synology.com

Synology reserves the right to modify this list at any time without notice.

Regulations and restrictions

This program is strictly limited to security vulnerabilities found in Synology products and services. Actions that could potentially damage or detrimentally affect Synology servers or data are strictly forbidden. Vulnerability testing must not breach local or Taiwanese laws.

Vulnerability reports are not accepted under the program if they describe or involve:

  1. DoS (Denial of Service) attacks on Synology’s or users' servers
  2. Vulnerability testing that is detrimental to Synology’s or users’ servers or data
  3. Physical attacks or social engineering
  4. Disclosure of bug information before approval by Synology
  5. Directory traversal on https://*archive.synology.com
  6. Reflected file download
  7. Banner grabbing issues or software version disclosure
  8. 0-day vulnerability disclosed within 90 days
  9. Non-critical vulnerabilities in outdated services or products
  10. Vulnerabilities affecting only outdated web browsers
  11. Most types of brute-force attack
  12. Reflected XSS attacks or Self XSS attacks
  13. Vulnerabilities that involve phishing, creation of fake websites, or committing fraud
  14. Vulnerability scanning reports that do not detail the vulnerability’s effects
  15. Indications that default ports are vulnerable, but without providing a PoC
  16. Theoretical vulnerabilities lacking concrete Proof of Concept (PoC)
  17. Open redirects alone are typically considered informational and do not qualify for rewards unless they contribute to a more significant vulnerability
  18. Missing security headers that do not directly lead to exploitation
  19. Missing security flags in cookies
  20. User enumeration. Reports outlining user enumeration are not within scope unless you can demonstrate that we don’t have any rate limits in place to protect our users.

*See the Reward Details page on the Security Bug Program web page for more details.

Reward details
This page is designed to help researchers understand the potential maximum rewards for specific types of vulnerabilities and to highlight the types of vulnerabilities that Synology values most. We value your contributions and are dedicated to fairly rewarding significant security research.The rewards in the table show the maximum possible for each category, but not every qualifying report is guaranteed to receive the listed amount.*
Critical
Operating systemsSoftware and C2 cloud servicesWeb services
Zero-click pre-auth RCE$30,000$10,000$5,000
Zero-click pre-auth arbitrary file r/w$9,000$4,600$2,400
Important
Operating systemsSoftware and C2 cloud servicesWeb services
1-click pre-auth RCE$8,000$4,000$2,000
Zero-click normal-user-auth RCE$7,500$3,900$1,900
Zero-click normal-user-auth arbitrary file r/w$6,500$3,400$1,700
Zero-click pre-auth RCE (AC:H)$6,500$3,400$1,700
1-click pre-auth RCE (AC:H)$5,000$2,500$1,325
pre-auth SQL injection$3,800$1,950$1,025
1-click normal-user-auth RCE (AC:H)$2,600$1,350$725
pre-auth stored XSS$2,600$1,350$725
Moderate
Operating systemsSoftware and C2 cloud servicesWeb services
normal-user-auth stored XSS$1,350$733$417
normal-user-auth SQL injection$1,200$607$353
admin-auth vulnerabilities$100$100$100

1. Beginning October 1, 2024 admin-auth vulnerability rewards will be set at $100 USD.

Notes:

  • Please note that while guidelines for rewards are provided, each report is treated individually and thoroughly evaluated. Scoring considers various factors, including but not limited to the scope detailed in the rewards rubric. Synology reserves the right to final interpretation of the reward amounts.
  • For issues classified as low severity or suggestions, only acknowledgements will be provided.
FAQsHow should I report a vulnerability? Please provide detailed PoC (Proof of Concept) and make sure the reported issues can be reproduced. Use this PGP key encryption offered by Synology when sending bug reports to us and do not disclose the relevant information to any third party.Who is responsible for determining whether my bug report is eligible for a reward?All the bug reports are reviewed and evaluated by Synology Security Team, which is comprised of Synology’s senior security analysts. What is the consequence if a bug is publicly disclosed before being fixed?   We endeavor in responding to bug reports promptly and fixing them within a reasonable time period. Please notify us in advance before you publicly disclose the bug information. Any bug disclosure without following this principle will not be qualified for a reward.Are vulnerabilities found in outdated software such as Apache or Nginx qualified for a reward?Please identify the vulnerabilities in the software and explain why you suspect they are detrimental to software use. Reports omitting this type of information are usually not qualified for a bounty. Can I request that my name not be listed on Synology’s Security Advisory page?Yes. You can request not to be listed on our Security Advisory page. However, if you are qualified for a reward and wish to accept it, we will still need your contact information to process the payment.Are vulnerabilities still eligible for a reward if they are reported to vulnerability brokers?Privately disclosing a vulnerability to third parties for purposes other than bug fixing is contradictory to the spirit of our program. Therefore, such reports will not be qualified for a reward. Who is qualified for a bounty if the same bug is reported by more than one person?The reward is granted to the first person who discovers a vulnerability that was previously unknown to us. 
AcknowledgementWe want to give a tip of our hat to security researchers and organizations that have helped us.
  • 2024
  • 2023
  • 2022
  • 2021
  • 2020
  • 2019
  • 2018
  • 2017
  • Khoadha from VCSLab of Viettel Cyber Security ( https://viettelcybersecurity.com/)
  • Tim Coen (https://security-consulting.icu/)
  • Mykola Grymalyuk from RIPEDA Consulting
  • Zhao Runzi (赵润梓)
  • Andrea Maugeri (https://www.linkedin.com/in/andreamaugeri)
  • Offensive Security Research @ Ronin (https://ronin.ae/)
  • Nathan (Yama) https://DontClickThis.run
  • M Tayyab Iqbal (www.alphainferno.com)
  • Only Hack in Cave (tr4ce(Jinho Ju), neko_hat(Dohwan Kim), tw0n3(Han Lee), Hc0wl(GangMin Kim)) (https://github.com/Team-OHiC)
  • Wonbeen Im, STEALIEN (https://stealien.com)
  • 赵润梓、李建申(https://lsr00ter.github.io)
  • Cheripally Sathwik (https://www.instagram.com/ethical_hacker_sathwik)
  • Steven Lin (https://x.com/5teven1in)
  • Qian Chen (@cq674350529) from Codesafe Team of Legendsec at QI-ANXIN Group
  • Mohd Ali (revengerali)
  • Orange Tsai (@orange_8361) from DEVCORE Research Team
  • Bocheng Xiang with FDU(@crispr)
  • HANRYEOL PARK, HYOJIN LEE, HYEOKJONG YUN, HYEONJUN LEE, DOWON KWAK, ZIEN (https://zi-en.io/)
  • Hydrobikz (https://www.linkedin.com/in/bikash-)
  • Can Acar (https://imcan.dev)
  • Yves Bieri of Compass Security (https://www.compass-security.com)
  • DEVCORE Research Team (https://devco.re/)
  • aoxsin (https://twitter.com/aoxsin)
  • Runzi (赵润梓)
  • Andrea Maugeri (https://www.linkedin.com/in/andreamaugeri)
  • Offensive Security Research @ Ronin (https://ronin.ae/)
  • Nathan (Yama) https://DontClickThis.run
  • M Tayyab Iqbal (www.alphainferno.com)
  • Only Hack in Cave (tr4ce(Jinho Ju), neko_hat(Dohwan Kim), tw0n3(Han Lee), Hc0wl(GangMin Kim)) (https://github.com/Team-OHiC)
  • Wonbeen Im, STEALIEN (https://stealien.com)
  • 赵润梓、李建申(https://lsr00ter.github.io)
  • Cheripally Sathwik (https://www.instagram.com/ethical_hacker_sathwik)
  • Steven Lin (https://x.com/5teven1in)
  • Qian Chen (@cq674350529) from Codesafe Team of Legendsec at QI-ANXIN Group
  • Mohd Ali (revengerali)
  • Orange Tsai (@orange_8361) from DEVCORE Research Team
  • Bocheng Xiang with FDU(@crispr)
  • HANRYEOL PARK, HYOJIN LEE, HYEOKJONG YUN, HYEONJUN LEE, DOWON KWAK, ZIEN (https://zi-en.io/)
  • Hydrobikz (https://www.linkedin.com/in/bikash-)
  • Can Acar (https://imcan.dev)
  • Yves Bieri of Compass Security (https://www.compass-security.com)
  • Endure Secure (https://endsec.au)
  • Stephen Argent (https://www.runby.coffee/)
  • Qian Chen (@cq674350529) from Codesafe Team of Legendsec at QI-ANXIN Group
  • Jan Kopřiva of Nettles Consulting (https://www.nettles.cz/security/)
  • Andrej Zaujec (https://www.linkedin.com/in/andrej-zaujec-24ba07158/)
  • chumen77 from WeBin Lab of DbappSecurity Co.,Ltd.
  • Bruce Chen (https://twitter.com/bruce30262)
  • aoxsin (https://twitter.com/aoxsin)
  • Armanul Miraz
  • Jaehoon Jang, STEALIEN (https://stealien.com)
  • Jangwoo Choi, HYEONJUN LEE, SoYeon Kim, TaeWan Ha, DoHwan Kim (https://zrr.kr/SWND)
  • Jaehoon Jang, Wonbeen Im, STEALIEN (https://stealien.com)
  • Tomer Goldschmidt and Sharon Brizinov of Claroty Research - Team82
  • Vo Van Thong of GE Security (VNG) (https://www.linkedin.com/in/thongvv3/)
  • Hussain Adnan Hashim (https://www.linkedin.com/in/hussain0x3c)
  • TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)
  • Tim Coen (https://security-consulting.icu)
  • TEAM TGLS (Best of the Best 12th) (https://zrr.kr/SWND)
  • Zhao Runzi (赵润梓)
  • Kevin Wang (https://twitter.com/kevingwn_ )
  • Shubham Kushwaha/ meenakshi Maurya (https://github.com/anabelle666)
  • Safwat Refaat (@Caesar302)
  • Jeffrey Baker (www.Biznet.net)
  • Monisha N (https://www.linkedin.com/in/monisha-nagaraj-321524218/)
  • Ravi (https://twitter.com/itsrvsinghh)
  • remonsec (https://twitter.com/remonsec)
  • TheLabda (https://thelabda.com)
  • Grant Kellie (https://www.linkedin.com/in/grant-kellie-54a23b238/)
  • pulla karthik srivastav (https://www.linkedin.com/in/karthik-srivastav-680359192)
  • Muhammad Tanvir Ahmed https://www.facebook.com/tohidulislam.tanvir.948
  • Eugene Lim, Government Technology Agency of Singapore (https://spaceraccoon.dev)
  • Laurent Sibilla (https://www.linkedin.com/in/lsibilla/)
  • Thomas Werschlein (https://www.linkedin.com/in/thomas-werschlein-2293384b)
  • Sivanesh kumar (https://twitter.com/sivanesh_hacker)
  • Davis Chang. (https://www.linkedin.com/in/hong-tsun-davis-chang/)
  • @aoxsin (https://twitter.com/aoxsin)
  • Chanyoung So (https://www.linkedin.com/in/chanyoung-so-62551b115/)
  • Hasibul Hasan Shawon (@Saiyan0x01)
  • Jose Hares (https://es.linkedin.com/in/jose-hares-arrieta-b419233b)
  • Zain Iqbal (https://www.linkedin.com/in/zain-iqbal-971b76254/)
  • Lukas Kupczyk, CrowdStrike Intelligence
  • Tomasz Szczechura (https://www.linkedin.com/in/tomasz-szczechura-5189098b/)
  • Zhao Runzi (赵润梓)
  • Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi'anxin Group
  • Patrik Fabian (https://websafe.hu)
  • Eugene Lim, Government Technology Agency of Singapore (https://spaceraccoon.dev)
  • Jeenika Anadani (https://twitter.com/j33n1k4)
  • waterpeitw (https://zeroday.hitcon.org/user/waterpeitw)
  • Milan katwal (https://www.milankatwal.com.np/)
  • N S R de Rooy (https://www.linkedin.com/in/norbert-de-rooy-9b24527/)
  • Christian Tucci (https://www.linkedin.com/in/christian-tucci/)
  • Ravindra Dagale (https://www.linkedin.com/in/ravindra-dagale-5b0913151/)
  • Sanket Anil Ambalkar (https://www.linkedin.com/in/sanket-ambalkar-70211518b/)
  • Chirag Agrawal (https://www.linkedin.com/in/chirag-agrawal-770488144/)
  • Yimi Hu@baidu.com
  • Raman R Mohurle (https://twitter.com/Raman_Mohurle)
  • cmj (http://blog.cmj.tw/)
  • Parth Manek
  • Patrick Williams (https://www.linkedin.com/in/patrick-williams-6992b4104/)
  • Amaranath Moger (https://www.linkedin.com/in/amaranath-moger/)
  • Dennis Herrmann (Code White GmbH)
  • Siddharth Parashar (https://www.linkedin.com/in/siddharth-parashar-b2a21b1b5/)
  • Sahil Soni (https://twitter.com/sahil__soni_18?s=08)
  • Hasibul Hasan Shawon -[Sec Miner's Bangladesh]
  • Devender Rao (https://www.linkedin.com/in/devender-rao)
  • RAJIB BAR (https://www.linkedin.com/in/rajib-bar-rjb-b3683314b)
  • Atharv Shejwal (https://kongsec.io)
  • Xavier DANEST (https://sustainability.decathlon.com/)
  • Aditya Shende (http://kongsec.io)
  • Andreas Rothenbacher (https://error401.de)
  • Rachit Verma @b43kd00r (https://www.linkedin.com/in/b43kd00r/)
  • Suraj SK (https://www.linkedin.com/in/suraj-sk/)
  • Simon Effenberg (https://www.linkedin.com/in/simon-effenberg)
  • Niraj Mahajan (https://www.linkedin.com/in/niraj1mahajan)
  • Ayush Pandey (https://www.linkedin.com/in/ayush-pandey-148797175)
  • Sivanesh kumar D (https://twitter.com/sivanesh_hacker?s=09)
  • Touhid Shaikh (https://securityium.com/)
  • N Krishna Chaitanya (https://www.linkedin.com/in/n-krishna-chaitanya-27926aba/)
  • Ayush Mangal (https://www.linkedin.com/in/ayush-mangal-48a168110)
  • Tameem Khalid (https://www.linkedin.com/in/tameem-khalid-641a4b192/)
  • ddaa of TrapaSecurity (https://twitter.com/0xddaa)
  • Praveen Kumar
  • Oscar Spierings (https://polyform.dev)
  • Chanyoung So (https://www.linkedin.com/in/chanyoung-so-62551b115/)
  • swings of Chaitin Security Research Lab
  • Hasibul Hasan Rifat (https://twitter.com/rifatsec)
  • Lanni
  • Yeshwanth (https://www.linkedin.com/in/yeshwanth-b-4a560b202)
  • Darshan Sunil jogi (https://www.linkedin.com/in/darshan-jogi-9450431b6/)
  • Chanyoung So (https://www.linkedin.com/in/chanyoung-so-62551b115/)
  • Lanni
  • Swapnil Patil (https://www.linkedin.com/in/swapnil-patil-874223195)
  • Vladislav Akimenko (Digital Security) (https://dsec.ru)
  • Muhammad Junaid Abdullah (https://twitter.com/an0n_j)
  • Claudio Bozzato of Cisco Talos (https://talosintelligence.com/vulnerability_reports/)
  • Jose Hares (https://es.linkedin.com/in/jose-hares-arrieta-b419233b)
  • Aditya Soni (https://www.linkedin.com/in/adtyasoni)
  • Mansoor Amjad (https://twitter.com/TheOutcastCoder)
  • Thomas Fady (https://www.linkedin.com/in/thomas-fady)
  • James Smith (Bridewell Consulting) (https://bridewellconsulting.com)
  • Kinshuk Kumar (https://www.linkedin.com/in/kinshuk-kumar-4833551a1/)
  • Amit Kumar (https://www.linkedin.com/in/amit-kumar-9853731a4)
  • Mehedi Hasan Remon (twitter.com/remonsec)
  • Joshua Olson (www.linkedin.com/in/joshua-olson-cysa)
  • Vaibhav Rajeshwar Atkale(https://twitter.com/atkale_vaibhav)
  • Mohammed Eldawody (www.fb.com/eldawody0)
  • YoKo Kho (https://twitter.com/YoKoAcc)
  • Satyajit Das (https://www.linkedin.com/in/mrsatyajitdas)
  • Tinu Tomy (https://twitter.com/tinurock007)
  • Aniket Bhutani (https://www.linkedin.com/in/aniket-bhutani-6ba979192/)
  • Anurag Muley (https://www.linkedin.com/in/ianuragmuley/)
  • Howard Ching (https://www.linkedin.com/in/howard-ching-rhul/)
  • Janmejaya Swain (https://www.linkedin.com/in/janmejayaswainofficial)
  • Ahmad Firmansyah (https://twitter.com/AhmdddFsyaaah)
  • Agrah Jain (www.linkedin.com/in/agrahjain)
  • Shivam Kamboj Dattana (https://www.linkedin.com/in/sechunt3r/)
  • Pratik Vinod Yadav (https://twitter.com/PratikY9967)
  • Akshaykumar Kokitkar (https://mobile.twitter.com/cyber_agent2)
  • Shesha Sai C (https://www.linkedin.com/in/shesha-sai-c-18585b125)
  • Yash Agarwal (https://www.linkedin.com/in/yash-agarwal-17464715b)
  • Jan KOPEC(https://twitter.com/blogresponder)
  • Denis Burtanović
  • Hasibul Hasan Shawon -[Sec Miner's Bangladesh]
  • Georg Delp (https://www.linkedin.com/in/georgdelp/)
  • R Atik Islam (https://www.facebook.com/atik.islam.14661)
  • Jose Israel Nadal Vidal (https://twitter.com/perito_inf)
  • Thomas Grünert (https://de.linkedin.com/in/thomas-gr%C3%BCnert-250905168)
  • Matteo Bussani (https://www.linkedin.com/in/matteo-bussani-77b595198/)
  • Bing-Jhong Jheng (https://github.com/st424204/ctf_practice)
  • Swapnil Patil (https://www.linkedin.com/in/swapnil-patil-874223195)
  • Prakash Kumar Parthasarathy (https://www.linkedin.com/in/prakashofficial)
  • Kitab Ahmed (www.ahmed.science)
  • Ahmad Firmansyah (https://twitter.com/AhmdddFsyaaah)
  • Tiziano Di Vincenzo (https://www.linkedin.com/in/tiziano-d-3324a345/)
  • Pratik Vinod Yadav (https://www.linkedin.com/in/pratik-yadav-117463149)
  • Diwakar Kumar (https://www.linkedin.com/in/diwakar-kumar-5b3843114/)
  • Rushi Gayakwad
  • Yash Ahmed Quashim (https://www.facebook.com/abir.beingviper)
  • Swapnil Kothawade (https://twitter.com/Swapnil_Kotha?s=09)
  • Ankit Kumar (https://www.linkedin.com/in/ankit-kumar-42a644166/)
  • Aman Rai (https://www.linkedin.com/in/aman-rai-737a19146)
  • Rushikesh Gaikwad (https://www.linkedin.com/in/rushikesh-gaikwad-407163171)
  • Rupesh Tanaji Kokare (https://www.linkedin.com/in/rupesh-kokare-b63a78145/)
  • Sumit Jain (https://twitter.com/sumit_cfe)
  • Qian Chen of Qihoo 360 Nirvan Team
  • Vishal Vachheta (https://www.linkedin.com/in/vishal-vachheta-a30863122)
  • Zhong Zhaochen
  • Tomasz Grabowski
  • Nightwatch Cybersecurity Research (https://wwws.nightwatchcybersecurity.com)
  • Safwat Refaat (https://twitter.com/Caesar302)
  • Agent22 (https://securelayer7.net/)
  • Hsiao-Yung Chen
  • Rich Mirch (https://blog.mirch.io)
  • Ronak Nahar (https://www.linkedin.com/in/naharronak/)
  • Noman Shaikh (https://twitter.com/nomanAli181)
  • David Deller (https://horizon-nigh.org)
  • Mehedi Hasan (SecMiners BD) (https://www.facebook.com/polapan.1337)
  • Touhid M Shaikh (https://touhidshaikh.com)
  • Abhishek Gaikwad
  • Kitabuddin Ahmed
  • Noman Shaikh (https://twitter.com/nomanAli181)
  • Ajit Sharma (https://www.linkedin.com/in/ajit-sharma-90483655)
  • Agung Saputra Ch Lages (https://twitter.com/lagesgeges)
  • Dan Thomsen (www.thomsen.fo)
  • Erik de Jong (https://eriknl.github.io)
  • Sphinx 1,2 (https://www.facebook.com/Sphinx01.10/)
  • AHMED ELSADAT (https://www.linkedin.com/in/ahmed-elsadat-138755133/)
  • Hasibul Hasan (SecMiner)
  • Mohammed Eldawody (www.fb.com/eldawody0)
  • Chris Schneider
  • Abdullah Fares Muhanna (https://www.facebook.com/AbedullahFares)
  • Nick Blyumberg (https://www.linkedin.com/in/nickblyumberg/)
  • Axel Peters
  • Muhammad Junaid Abdullah (https://twitter.com/an0n_j)
  • Kyle Green
  • Thomas Fady (https://www.linkedin.com/in/thomas-fady)
  • Dankel Ahmed (https://hackerone.com/kitab)
  • ShuangYY
  • HackTrack Security
  • Muhammed Ashmil K K (Kavuthukandiyil)
  • Muhammad Junaid Abdullah (https://twitter.com/snoviboy)
  • Kishan kumar (https://facebook.com/noobieboy007)
  • Lays (http://l4ys.tw)
  • Ashish Kumar (https://www.facebook.com/buggyashish)
  • Lakshay Gupta (http://linkedin.com/in/lakshay-gupta-44102a143)
  • Meng-Huan Yu (https://www.linkedin.com/in/cebrusfs/)
  • Ifrah Iman (http://www.ifrahiman.com)
  • Mohammed Israil (https://www.facebook.com/VillageLad, https://www.linkedin.com/in/mohammed-israil-221656128)
  • Taien Wang (https://www.linkedin.com/in/taienwang/)
  • Emad Shanab (@Alra3ees) (https://twitter.com/Alra3ees?s=09)
  • குகன் ராஜா (Havoc Guhan) (https://fb.com/havocgwen)
  • Yasser Gersy (https://twitter.com/yassergersy)
  • Ismail Tasdelen (https://www.linkedin.com/in/ismailtasdelen)
  • Thomas Fady (https://www.linkedin.com/in/thomas-fady)
  • Oliver Kramer (https://www.linkedin.com/in/oliver-kramer-670206b5)
  • 1N3@CrowdShield (https://crowdshield.com)
  • louys, Xie Wei (解炜), Li Yanlong (李衍龙)
  • Zuo Chaoshun (https://www.linkedin.com/in/chaoshun-zuo-5b9559111/)
  • Ali Razzaq (https://twitter.com/AliRazzaq_)
  • 丁諭祺(Yu-Chi Ding) from DEVCORE CHROOT
  • Alex Weber (www.broot.ca)
  • Alex Bastrakov (https://twitter.com/kazan71p)
  • Mehidia Tania (https://www.beetles.io)
  • freetsubasa (https://twitter.com/freetsubasa)
  • Łukasz Rutkowski (http://www.forit.pl/)
  • Maximilian Tews (www.linkedin.com/in/maximilian-tews)
  • Bryan Galao (https://www.facebook.com/xbryan.galao)
  • Jim Zhou (vip-cloud.cn)
  • Chun Han Hsiao
  • Nightwatch Cybersecurity Research (https://wwws.nightwatchcybersecurity.com)
  • Olivier Bédard
  • Mohamed Eldawody (https://www.facebook.com/Eldawody0)
  • Jose Hares (https://es.linkedin.com/in/jose-hares-arrieta-b419233b)
  • 郑吉宏通过 GeekPwn 平台提交
  • Independent Security Evaluators (ISE) labs
  • Independent security researcher, MengHuan Yu, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
  • B.Dhiyaneshwaran (https://www.linkedin.com/in/dhiyaneshwaran-b-27947a131/)
  • Freiwillige Feuerwehr Rohrbach (www.ff-rohrbach.de)
  • Uriya Yavnieli from VDOO (https://vdoo.com)
  • Jung Chan Hyeok
  • Zhong Zhaochen (http://asnine.com)
  • Honc 章哲瑜 (https://www.facebook.com/you.toshoot)
  • Sumit Jain
  • Ketankumar B. Godhani (https://twitter.com/KBGodhani)
  • karthickumar (Ramanathapuram)
  • Alireza Azimzadeh Milani
  • Taien Wang (https://www.facebook.com/taien.tw)
  • Frédéric Crozat (http://blog.crozat.net/)
  • Muhammad Hassaan Khan (https://www.facebook.com/Profile.Hassaan)
  • SSD/Kacper Szurek
  • Alexander Drabek (https://www.2-sec.com/)
  • RAVELA PRAMOD KUMAR (https://mobile.twitter.com/PramodRavela)
  • Kushal Arvind Shah of Fortinet’s FortiGuard Labs
  • Alvin Poon (https://alvinpoon.myportfolio.com/)
  • C.shahidyan, C.Akilan, K.Sai Aswanth
  • BambooFox (https://bamboofox.github.io/)
  • Sajibe Kanti (https://twitter.com/sajibekantibd)
  • Huy Kha (linkedin.com/in/huykha)
  • Pal Patel (https://www.linkedin.com/in/pal434/)
  • Pethuraj M (https://www.linkedin.com/in/pethu/)
  • Ali Ashber (https://www.facebook.com/aliashber7)
  • Muzammil Abbas Kayani (@muzammilabbas2 )
  • Tayyab Qadir (facebook.com/tqMr.EditOr)
  • Babar Khan Akhunzada (www.SecurityWall.co)
  • Mahad Ahmed (https://octadev.com.pk)
  • JD Duh (blog.johndoe.tw, www.linkedin.com/in/JD-Duh)
  • Mubassir Kamdar (http://www.mubassirkamdar.com)
  • Daniel Díez Tainta (https://twitter.com/danilabs)
  • Tushar Rawool (twitter.com/tkrawool)
  • Thrivikram Gujarathi (https://www.linkedin.com/in/thrivikram-gujarathi-certified-ethical-hacker-bug-bounty-hunter-53074796)
  • Ashish Kunwar (twitter: @D0rkerDevil)
  • Steven Hampton (Twitter: @Keritzy, https://stevenh.neocities.org/)
  • Peter Bennink (https://www.linkedin.com/in/peter-bennink/)
  • Thomas Fady (https://www.linkedin.com/in/thomas-fady/)
  • Roopak Voleti (https://m.facebook.com/sairoopak.voleti)