作業系統
獎金高達
US $30,000
包括 Synology DiskStation Manager 、 Synology Router Manager 以及 Synology BeeStation 。
軟體和 C2 雲端服務
獎金高達
US $10,000
範圍包括 Synology 開發的軟體套件、相關行動應用程式和 C2 雲端服務。
網站服務範圍
獎金高達
US $5,000
範圍包括所有 Synology 的主要網站服務。
- 您是第一位回報特定安全問題的研究人員。
- 您回報的安全問題經確認為可驗證、可重現且符合獎勵資格的問題。
- 您遵守本計畫的所有條款和規定。
透過漏洞回報獎勵計畫聯絡表與我們聯繫。
回報安全漏洞給 Synology 時,請使用這個 PGP 金鑰加密您提供的資訊。
附上詳細的概念性驗證 (Proof of Concept;簡稱 PoC),並確認所回報的安全性問題可被重現。
盡量提供簡潔的資訊;舉例來說,一則簡短的 PoC 連結之資訊價值高於一部解釋 SSRF 問題之影響的影片。
- 提供清楚的文字描述,並逐步說明如何重現安全性問題 (需以英文書寫)。
- 說明安全問題如何影響 Synology 產品或網站服務,包含其版本與平台。
- 說明所回報之安全問題的潛在危害性。
| 獎金 | 合格的安全問題回報將給予高達 $30,000 美元的獎金。* |
|---|---|
| 產品範圍 | 本計畫僅接受正式版本之產品與服務的安全問題回報。 DiskStation Manager (DSM)
Synology Router Manager (SRM)
Synology 攝影機韌體
Synology BeeStation
|
| 規定與限制 | 本計畫僅接受 Synology 產品與服務的安全問題。嚴格禁止任何可能危害 Synology 伺服器或資料的行為。所有安全問題測試皆不得違反任何法律。 以下列出不符合獎勵資格的安全問題:
|
*請參閱安全性漏洞計劃網頁上的獎勵詳情頁面以了解詳情。
**SRM_LAN 漏洞的最高獎勵為 $5,000。
***攝影機韌體漏洞的最高獎勵為 $10,000。
| 獎金 | 合格的安全問題回報將給予高達 $10,000 美元的獎金。* |
|---|---|
| 產品範圍 | 本計畫僅接受正式版本之產品與服務的安全問題回報。 套件 Synology 開發的軟體套件 桌面用戶端 Synology 開發的 Windows、macOS 和 Linux 應用程式 行動應用程式 Synology 開發的 Android 版和 iOS 版行動應用程式 Synology Account
C2 服務 *.c2.synology.com 網域 |
| 規定與限制 | 本計畫僅接受 Synology 產品與服務的安全問題。嚴格禁止任何可能危害 Synology 伺服器或資料的行為。所有安全問題測試皆不得違反任何法律。 以下列出不符合獎勵資格的安全問題:
|
*請參閱安全漏洞獎勵計畫網頁上的獎勵詳情頁面以獲取更多資訊。
| 獎金 | 合格的安全問題回報將給予高達 $5,000 美元的獎金。* |
|---|---|
| 產品範圍 | 網站服務所涵蓋之網域 (包含子網域) 如下: *.synology.com 網站服務未涵蓋之網域 (包含子網域) 如下: openstack-ci-logs.synology.com, router.synology.com Synology 有權隨時更改這份清單,恕不另行通知。 |
| 規定與限制 | 本計畫僅接受 Synology 產品與服務的安全問題。嚴格禁止任何可能危害 Synology 伺服器或資料的行為。所有安全問題測試皆不得違反任何法律。 網站服務未涵蓋之網域 (包含子網域) 如下:
|
*請參閱安全漏洞獎勵計畫網頁上的獎勵詳情頁面以獲取更多資訊。
| 作業系統 | 軟體和 C2 雲端服務 | 網站服務範圍 | |
|---|---|---|---|
| Zero-click pre-auth RCE | $30,000 | $10,000 | $5,000 |
| Zero-click pre-auth arbitrary file r/w | $9,000 | $4,600 | $2,400 |
| 作業系統 | 軟體和 C2 雲端服務 | 網站服務範圍 | |
|---|---|---|---|
| 1-click pre-auth RCE | $8,000 | $4,000 | $2,000 |
| Zero-click normal-user-auth RCE | $7,500 | $3,900 | $1,900 |
| Zero-click normal-user-auth arbitrary file r/w | $6,500 | $3,400 | $1,700 |
| Zero-click pre-auth RCE (AC:H) | $6,500 | $3,400 | $1,700 |
| 1-click pre-auth RCE (AC:H) | $5,000 | $2,500 | $1,325 |
| pre-auth SQL injection | $3,800 | $1,950 | $1,025 |
| 1-click normal-user-auth RCE (AC:H) | $2,600 | $1,350 | $725 |
| pre-auth stored XSS | $2,600 | $1,350 | $725 |
| 作業系統 | 軟體和 C2 雲端服務 | 網站服務範圍 | |
|---|---|---|---|
| normal-user-auth stored XSS | $1,350 | $733 | $417 |
| normal-user-auth SQL injection | $1,200 | $607 | $353 |
| admin-auth vulnerabilities1 | $100 | $100 | $100 |
1. 從 2024 年 10 月 1 日起,admin-auth vulnerability 的獎金將調整為100美元。
注意:
- 請注意,儘管提供了獎勵資格標準,每一個安全問題回報都會獨立處理並徹底評估。評分時我們會綜合考慮各種因素,包括但不限獎勵資格標準中詳述的範圍。Synology 保有調整獎金之權利,並保留最終解釋權。
- 當回報的問題被認為對安全性的影響較低或僅被分類為建議時,我們僅會提供公開致謝。
- Khoadha from VCSLab of Viettel Cyber Security ( https://viettelcybersecurity.com/)
- Tim Coen (https://security-consulting.icu/)
- Mykola Grymalyuk from RIPEDA Consulting
- Zhao Runzi (赵润梓)
- Andrea Maugeri (https://www.linkedin.com/in/andreamaugeri)
- Offensive Security Research @ Ronin (https://ronin.ae/)
- Nathan (Yama) https://DontClickThis.run
- M Tayyab Iqbal (www.alphainferno.com)
- Only Hack in Cave (tr4ce(Jinho Ju), neko_hat(Dohwan Kim), tw0n3(Han Lee), Hc0wl(GangMin Kim)) (https://github.com/Team-OHiC)
- Wonbeen Im, STEALIEN (https://stealien.com)
- 赵润梓、李建申(https://lsr00ter.github.io)
- Cheripally Sathwik (https://www.instagram.com/ethical_hacker_sathwik)
- Steven Lin (https://x.com/5teven1in)
- Qian Chen (@cq674350529) from Codesafe Team of Legendsec at QI-ANXIN Group
- Mohd Ali (revengerali)
- Endure Secure (https://endsec.au)
- Stephen Argent (https://www.runby.coffee/)
- Qian Chen (@cq674350529) from Codesafe Team of Legendsec at QI-ANXIN Group
- Jan Kopřiva of Nettles Consulting (https://www.nettles.cz/security/)
- Andrej Zaujec (https://www.linkedin.com/in/andrej-zaujec-24ba07158/)
- chumen77 from WeBin Lab of DbappSecurity Co.,Ltd.
- Bruce Chen (https://twitter.com/bruce30262)
- aoxsin (https://twitter.com/aoxsin)
- Armanul Miraz
- Jaehoon Jang, STEALIEN (https://stealien.com)
- Jangwoo Choi, HYEONJUN LEE, SoYeon Kim, TaeWan Ha, DoHwan Kim (https://zrr.kr/SWND)
- Jaehoon Jang, Wonbeen Im, STEALIEN (https://stealien.com)
- Tomer Goldschmidt and Sharon Brizinov of Claroty Research - Team82
- Vo Van Thong of GE Security (VNG) (https://www.linkedin.com/in/thongvv3/)
- Hussain Adnan Hashim (https://www.linkedin.com/in/hussain0x3c)
- TEAM.ENVY (https://team-envy.gitbook.io/team.envy/about-us)
- Tim Coen (https://security-consulting.icu)
- TEAM TGLS (Best of the Best 12th) (https://zrr.kr/SWND)
- Zhao Runzi (赵润梓)
- Kevin Wang (https://twitter.com/kevingwn_ )
- Shubham Kushwaha/ meenakshi Maurya (https://github.com/anabelle666)
- Safwat Refaat (@Caesar302)
- Jeffrey Baker (www.Biznet.net)
- Monisha N (https://www.linkedin.com/in/monisha-nagaraj-321524218/)
- Ravi (https://twitter.com/itsrvsinghh)
- remonsec (https://twitter.com/remonsec)
- TheLabda (https://thelabda.com)
- Grant Kellie (https://www.linkedin.com/in/grant-kellie-54a23b238/)
- pulla karthik srivastav (https://www.linkedin.com/in/karthik-srivastav-680359192)
- Muhammad Tanvir Ahmed https://www.facebook.com/tohidulislam.tanvir.948
- Eugene Lim, Government Technology Agency of Singapore (https://spaceraccoon.dev)
- Laurent Sibilla (https://www.linkedin.com/in/lsibilla/)
- Thomas Werschlein (https://www.linkedin.com/in/thomas-werschlein-2293384b)
- Sivanesh kumar (https://twitter.com/sivanesh_hacker)
- Davis Chang. (https://www.linkedin.com/in/hong-tsun-davis-chang/)
- @aoxsin (https://twitter.com/aoxsin)
- Chanyoung So (https://www.linkedin.com/in/chanyoung-so-62551b115/)
- Hasibul Hasan Shawon (@Saiyan0x01)
- Jose Hares (https://es.linkedin.com/in/jose-hares-arrieta-b419233b)
- Zain Iqbal (https://www.linkedin.com/in/zain-iqbal-971b76254/)
- Lukas Kupczyk, CrowdStrike Intelligence
- Tomasz Szczechura (https://www.linkedin.com/in/tomasz-szczechura-5189098b/)
- Zhao Runzi (赵润梓)
- Qian Chen (@cq674350529) from Codesafe Team of Legendsec at Qi'anxin Group
- Patrik Fabian (https://websafe.hu)
- Eugene Lim, Government Technology Agency of Singapore (https://spaceraccoon.dev)
- Jeenika Anadani (https://twitter.com/j33n1k4)
- waterpeitw (https://zeroday.hitcon.org/user/waterpeitw)
- Milan katwal (https://www.milankatwal.com.np/)
- N S R de Rooy (https://www.linkedin.com/in/norbert-de-rooy-9b24527/)
- Christian Tucci (https://www.linkedin.com/in/christian-tucci/)
- Ravindra Dagale (https://www.linkedin.com/in/ravindra-dagale-5b0913151/)
- Sanket Anil Ambalkar (https://www.linkedin.com/in/sanket-ambalkar-70211518b/)
- Chirag Agrawal (https://www.linkedin.com/in/chirag-agrawal-770488144/)
- Yimi Hu@baidu.com
- Raman R Mohurle (https://twitter.com/Raman_Mohurle)
- cmj (http://blog.cmj.tw/)
- Parth Manek
- Patrick Williams (https://www.linkedin.com/in/patrick-williams-6992b4104/)
- Amaranath Moger (https://www.linkedin.com/in/amaranath-moger/)
- Dennis Herrmann (Code White GmbH)
- Siddharth Parashar (https://www.linkedin.com/in/siddharth-parashar-b2a21b1b5/)
- Sahil Soni (https://twitter.com/sahil__soni_18?s=08)
- Hasibul Hasan Shawon -[Sec Miner's Bangladesh]
- Devender Rao (https://www.linkedin.com/in/devender-rao)
- RAJIB BAR (https://www.linkedin.com/in/rajib-bar-rjb-b3683314b)
- Atharv Shejwal (https://kongsec.io)
- Xavier DANEST (https://sustainability.decathlon.com/)
- Aditya Shende (http://kongsec.io)
- Andreas Rothenbacher (https://error401.de)
- Rachit Verma @b43kd00r (https://www.linkedin.com/in/b43kd00r/)
- Suraj SK (https://www.linkedin.com/in/suraj-sk/)
- Simon Effenberg (https://www.linkedin.com/in/simon-effenberg)
- Niraj Mahajan (https://www.linkedin.com/in/niraj1mahajan)
- Ayush Pandey (https://www.linkedin.com/in/ayush-pandey-148797175)
- Sivanesh kumar D (https://twitter.com/sivanesh_hacker?s=09)
- Touhid Shaikh (https://securityium.com/)
- N Krishna Chaitanya (https://www.linkedin.com/in/n-krishna-chaitanya-27926aba/)
- Ayush Mangal (https://www.linkedin.com/in/ayush-mangal-48a168110)
- Tameem Khalid (https://www.linkedin.com/in/tameem-khalid-641a4b192/)
- ddaa of TrapaSecurity (https://twitter.com/0xddaa)
- Praveen Kumar
- Oscar Spierings (https://polyform.dev)
- Chanyoung So (https://www.linkedin.com/in/chanyoung-so-62551b115/)
- swings of Chaitin Security Research Lab
- Hasibul Hasan Rifat (https://twitter.com/rifatsec)
- Lanni
- Yeshwanth (https://www.linkedin.com/in/yeshwanth-b-4a560b202)
- Darshan Sunil jogi (https://www.linkedin.com/in/darshan-jogi-9450431b6/)
- Chanyoung So (https://www.linkedin.com/in/chanyoung-so-62551b115/)
- Lanni
- Swapnil Patil (https://www.linkedin.com/in/swapnil-patil-874223195)
- Vladislav Akimenko (Digital Security) (https://dsec.ru)
- Muhammad Junaid Abdullah (https://twitter.com/an0n_j)
- Claudio Bozzato of Cisco Talos (https://talosintelligence.com/vulnerability_reports/)
- Jose Hares (https://es.linkedin.com/in/jose-hares-arrieta-b419233b)
- Aditya Soni (https://www.linkedin.com/in/adtyasoni)
- Mansoor Amjad (https://twitter.com/TheOutcastCoder)
- Thomas Fady (https://www.linkedin.com/in/thomas-fady)
- James Smith (Bridewell Consulting) (https://bridewellconsulting.com)
- Kinshuk Kumar (https://www.linkedin.com/in/kinshuk-kumar-4833551a1/)
- Amit Kumar (https://www.linkedin.com/in/amit-kumar-9853731a4)
- Mehedi Hasan Remon (twitter.com/remonsec)
- Joshua Olson (www.linkedin.com/in/joshua-olson-cysa)
- Vaibhav Rajeshwar Atkale(https://twitter.com/atkale_vaibhav)
- Mohammed Eldawody (www.fb.com/eldawody0)
- YoKo Kho (https://twitter.com/YoKoAcc)
- Satyajit Das (https://www.linkedin.com/in/mrsatyajitdas)
- Tinu Tomy (https://twitter.com/tinurock007)
- Aniket Bhutani (https://www.linkedin.com/in/aniket-bhutani-6ba979192/)
- Anurag Muley (https://www.linkedin.com/in/ianuragmuley/)
- Howard Ching (https://www.linkedin.com/in/howard-ching-rhul/)
- Janmejaya Swain (https://www.linkedin.com/in/janmejayaswainofficial)
- Ahmad Firmansyah (https://twitter.com/AhmdddFsyaaah)
- Agrah Jain (www.linkedin.com/in/agrahjain)
- Shivam Kamboj Dattana (https://www.linkedin.com/in/sechunt3r/)
- Pratik Vinod Yadav (https://twitter.com/PratikY9967)
- Akshaykumar Kokitkar (https://mobile.twitter.com/cyber_agent2)
- Shesha Sai C (https://www.linkedin.com/in/shesha-sai-c-18585b125)
- Yash Agarwal (https://www.linkedin.com/in/yash-agarwal-17464715b)
- Jan KOPEC(https://twitter.com/blogresponder)
- Denis Burtanović
- Hasibul Hasan Shawon -[Sec Miner's Bangladesh]
- Georg Delp (https://www.linkedin.com/in/georgdelp/)
- R Atik Islam (https://www.facebook.com/atik.islam.14661)
- Jose Israel Nadal Vidal (https://twitter.com/perito_inf)
- Thomas Grünert (https://de.linkedin.com/in/thomas-gr%C3%BCnert-250905168)
- Matteo Bussani (https://www.linkedin.com/in/matteo-bussani-77b595198/)
- Bing-Jhong Jheng (https://github.com/st424204/ctf_practice)
- Swapnil Patil (https://www.linkedin.com/in/swapnil-patil-874223195)
- Prakash Kumar Parthasarathy (https://www.linkedin.com/in/prakashofficial)
- Kitab Ahmed (www.ahmed.science)
- Ahmad Firmansyah (https://twitter.com/AhmdddFsyaaah)
- Tiziano Di Vincenzo (https://www.linkedin.com/in/tiziano-d-3324a345/)
- Pratik Vinod Yadav (https://www.linkedin.com/in/pratik-yadav-117463149)
- Diwakar Kumar (https://www.linkedin.com/in/diwakar-kumar-5b3843114/)
- Rushi Gayakwad
- Yash Ahmed Quashim (https://www.facebook.com/abir.beingviper)
- Swapnil Kothawade (https://twitter.com/Swapnil_Kotha?s=09)
- Ankit Kumar (https://www.linkedin.com/in/ankit-kumar-42a644166/)
- Aman Rai (https://www.linkedin.com/in/aman-rai-737a19146)
- Rushikesh Gaikwad (https://www.linkedin.com/in/rushikesh-gaikwad-407163171)
- Rupesh Tanaji Kokare (https://www.linkedin.com/in/rupesh-kokare-b63a78145/)
- Sumit Jain (https://twitter.com/sumit_cfe)
- Qian Chen of Qihoo 360 Nirvan Team
- Vishal Vachheta (https://www.linkedin.com/in/vishal-vachheta-a30863122)
- Zhong Zhaochen
- Tomasz Grabowski
- Nightwatch Cybersecurity Research (https://wwws.nightwatchcybersecurity.com)
- Safwat Refaat (https://twitter.com/Caesar302)
- Agent22 (https://securelayer7.net/)
- Hsiao-Yung Chen
- Rich Mirch (https://blog.mirch.io)
- Ronak Nahar (https://www.linkedin.com/in/naharronak/)
- Noman Shaikh (https://twitter.com/nomanAli181)
- David Deller (https://horizon-nigh.org)
- Mehedi Hasan (SecMiners BD) (https://www.facebook.com/polapan.1337)
- Touhid M Shaikh (https://touhidshaikh.com)
- Abhishek Gaikwad
- Kitabuddin Ahmed
- Noman Shaikh (https://twitter.com/nomanAli181)
- Ajit Sharma (https://www.linkedin.com/in/ajit-sharma-90483655)
- Agung Saputra Ch Lages (https://twitter.com/lagesgeges)
- Dan Thomsen (www.thomsen.fo)
- Erik de Jong (https://eriknl.github.io)
- Sphinx 1,2 (https://www.facebook.com/Sphinx01.10/)
- AHMED ELSADAT (https://www.linkedin.com/in/ahmed-elsadat-138755133/)
- Hasibul Hasan (SecMiner)
- Mohammed Eldawody (www.fb.com/eldawody0)
- Chris Schneider
- Abdullah Fares Muhanna (https://www.facebook.com/AbedullahFares)
- Nick Blyumberg (https://www.linkedin.com/in/nickblyumberg/)
- Axel Peters
- Muhammad Junaid Abdullah (https://twitter.com/an0n_j)
- Kyle Green
- Thomas Fady (https://www.linkedin.com/in/thomas-fady)
- Dankel Ahmed (https://hackerone.com/kitab)
- ShuangYY
- HackTrack Security
- Muhammed Ashmil K K (Kavuthukandiyil)
- Muhammad Junaid Abdullah (https://twitter.com/snoviboy)
- Kishan kumar (https://facebook.com/noobieboy007)
- Lays (http://l4ys.tw)
- Ashish Kumar (https://www.facebook.com/buggyashish)
- Lakshay Gupta (http://linkedin.com/in/lakshay-gupta-44102a143)
- Meng-Huan Yu (https://www.linkedin.com/in/cebrusfs/)
- Ifrah Iman (http://www.ifrahiman.com)
- Mohammed Israil (https://www.facebook.com/VillageLad, https://www.linkedin.com/in/mohammed-israil-221656128)
- Taien Wang (https://www.linkedin.com/in/taienwang/)
- Emad Shanab (@Alra3ees) (https://twitter.com/Alra3ees?s=09)
- குகன் ராஜா (Havoc Guhan) (https://fb.com/havocgwen)
- Yasser Gersy (https://twitter.com/yassergersy)
- Ismail Tasdelen (https://www.linkedin.com/in/ismailtasdelen)
- Thomas Fady (https://www.linkedin.com/in/thomas-fady)
- Oliver Kramer (https://www.linkedin.com/in/oliver-kramer-670206b5)
- 1N3@CrowdShield (https://crowdshield.com)
- louys, Xie Wei (解炜), Li Yanlong (李衍龙)
- Zuo Chaoshun (https://www.linkedin.com/in/chaoshun-zuo-5b9559111/)
- Ali Razzaq (https://twitter.com/AliRazzaq_)
- 丁諭祺(Yu-Chi Ding) from DEVCORE CHROOT
- Alex Weber (www.broot.ca)
- Alex Bastrakov (https://twitter.com/kazan71p)
- Mehidia Tania (https://www.beetles.io)
- freetsubasa (https://twitter.com/freetsubasa)
- Łukasz Rutkowski (http://www.forit.pl/)
- Maximilian Tews (www.linkedin.com/in/maximilian-tews)
- Bryan Galao (https://www.facebook.com/xbryan.galao)
- Jim Zhou (vip-cloud.cn)
- Chun Han Hsiao
- Nightwatch Cybersecurity Research (https://wwws.nightwatchcybersecurity.com)
- Olivier Bédard
- Mohamed Eldawody (https://www.facebook.com/Eldawody0)
- Jose Hares (https://es.linkedin.com/in/jose-hares-arrieta-b419233b)
- 郑吉宏通过 GeekPwn 平台提交
- Independent Security Evaluators (ISE) labs
- Independent security researcher, MengHuan Yu, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program
- B.Dhiyaneshwaran (https://www.linkedin.com/in/dhiyaneshwaran-b-27947a131/)
- Freiwillige Feuerwehr Rohrbach (www.ff-rohrbach.de)
- Uriya Yavnieli from VDOO (https://vdoo.com)
- Jung Chan Hyeok
- Zhong Zhaochen (http://asnine.com)
- Honc 章哲瑜 (https://www.facebook.com/you.toshoot)
- Sumit Jain
- Ketankumar B. Godhani (https://twitter.com/KBGodhani)
- karthickumar (Ramanathapuram)
- Alireza Azimzadeh Milani
- Taien Wang (https://www.facebook.com/taien.tw)
- Frédéric Crozat (http://blog.crozat.net/)
- Muhammad Hassaan Khan (https://www.facebook.com/Profile.Hassaan)
- SSD/Kacper Szurek
- Alexander Drabek (https://www.2-sec.com/)
- RAVELA PRAMOD KUMAR (https://mobile.twitter.com/PramodRavela)
- Kushal Arvind Shah of Fortinet’s FortiGuard Labs
- Alvin Poon (https://alvinpoon.myportfolio.com/)
- C.shahidyan, C.Akilan, K.Sai Aswanth
- BambooFox (https://bamboofox.github.io/)
- Sajibe Kanti (https://twitter.com/sajibekantibd)
- Huy Kha (linkedin.com/in/huykha)
- Pal Patel (https://www.linkedin.com/in/pal434/)
- Pethuraj M (https://www.linkedin.com/in/pethu/)
- Ali Ashber (https://www.facebook.com/aliashber7)
- Muzammil Abbas Kayani (@muzammilabbas2 )
- Tayyab Qadir (facebook.com/tqMr.EditOr)
- Babar Khan Akhunzada (www.SecurityWall.co)
- Mahad Ahmed (https://octadev.com.pk)
- JD Duh (blog.johndoe.tw, www.linkedin.com/in/JD-Duh)
- Mubassir Kamdar (http://www.mubassirkamdar.com)
- Daniel Díez Tainta (https://twitter.com/danilabs)
- Tushar Rawool (twitter.com/tkrawool)
- Thrivikram Gujarathi (https://www.linkedin.com/in/thrivikram-gujarathi-certified-ethical-hacker-bug-bounty-hunter-53074796)
- Ashish Kunwar (twitter: @D0rkerDevil)
- Steven Hampton (Twitter: @Keritzy, https://stevenh.neocities.org/)
- Peter Bennink (https://www.linkedin.com/in/peter-bennink/)
- Thomas Fady (https://www.linkedin.com/in/thomas-fady/)
- Roopak Voleti (https://m.facebook.com/sairoopak.voleti)