Vulnerability disclosure

How to report

Report suspected vulnerabilities through the agreed customer/pilot security channel. A dedicated public security mailbox should be activated before paid self-serve launch and listed here once it is operational.

Include the affected route or package, reproduction steps, potential impact, tenant or account context if relevant, and whether any data may have been exposed.

Good-faith testing

• Do not access, modify, delete, or exfiltrate another tenant's data.
• Do not run destructive, high-volume, social engineering, spam, or denial-of-service tests.
• Do not publish details before Syllecta has had a reasonable chance to investigate and mitigate.
• Stop testing and report immediately if you encounter sensitive data.

What to expect

Syllecta will review the report, ask for clarification when needed, prioritize based on impact, and coordinate remediation. Formal bounty payments are not offered by default unless a separate written program is announced.

Security claims

Syllecta does not currently claim SOC 2 or ISO 27001 certification, HIPAA or PCI compliance, or GDPR compliance. Current security pages describe implemented controls and clearly marked roadmap items.