Security Disclosure

Reporting a vulnerability

If you've found a security issue in Synzo — in the website, the JSON API, the MCP server, or the dashboard — please report it confidentially:

Please do not disclose the issue publicly until we've had a chance to investigate and ship a fix.

What to include

• A description of the issue and the impact you believe it has.
• Steps to reproduce, including any relevant requests, payloads, or test accounts.
• Any proof-of-concept code or screenshots — please don't include real third-party data.
• Your name or handle if you'd like credit (optional).

What to expect

• Acknowledgement within 3 business days.
• An initial assessment within 7 business days.
• Updates as the fix progresses; coordinated disclosure timing on request.

Scope

In scope: www.synzo.ai, /api/v1/*, /mcp, /dashboard/*, and the WorkOS authentication flow. Out of scope: vulnerabilities in third-party services we use (report those to Google, WorkOS, or Railway directly).

Safe harbor

We will not pursue legal action against researchers acting in good faith — testing within scope, avoiding harm to users or data, and reporting privately before disclosure. Please don't access or modify other users' data, run automated scanners that generate significant load, or perform any action that would degrade availability.