Products are designed following well-defined security and privacy requirements, using detailed threat modeling to prioritize risks and assets, and with data paths carefully mapped for review and analysis. Component architectures then are carefully reviewed to help create robust, performant designs that will require minimal levels of maintenance and offer long-term value.
Developers follow Synology’s standards for secure coding to create software components in accordance with the security models they’ve designed. Imported open-source modules are pre-verified, and the toolchains Synology’s developers use are kept patched with the latest security updates. Static Application Security Testing (SAST) is performed on internal software builds during implementation to assure that developers’ completed code avoids common security flaws. When release candidates are ready, Dynamic Application Security Testing (DAST) is used to help confirm that code is ready for production environments. Automated vulnerability scanning is also employed, and Synology conducts penetration testing as a standard method for final verification.
Completed products are distributed following a staged release, thereby mitigating risk in case a zero-day exploit is discovered shortly after launch. As an added security measure, Synology signs all DiskStation Manager packages and updates using encryption keys secured with hardware security modules.
The Synology Product Security Incident Response Team (PSIRT) proactively manages the receipt, investigation, coordination, and reporting of vulnerability information related to products. PSIRT maintains a less than 24-hour turnaround response time for responding to zero-day exploits, and publishes vulnerability alerts via the Synology Product Security Advisory.
At Synology, PSIRT takes full ownership of coordinating and enacting product security responses. With a comprehensive four-step process, PSIRT assures responsive communication, remediation, speed, and transparency with all relevant stakeholders.
Synology is committed to comprehensive remediation delivered at an industry-leading pace. For zero-day exploits, we make our initial severity assessment within the first 8 hours, with our target time to release a fix within the next 15 hours.
As a MITRE CVE Numbering Authority, Synology is able to safely work with third-party security researchers to discover and fix previously unknown security exploits while maintaining transparency and trust with stakeholders.
Synology works closely with the information security community to enhance the safety of our products. Whether through our Security Bug Bounty Program, our role as a multi-year sponsor of Pwn2Own, or through our other engagement efforts, we proudly reward the efforts of diligent security experts who partner with us.
Report security bugs or submit security-related questions.
