At Symology Ltd, we take pride in the rigorous testing and quality assurance that underpin our products and services. While we do not expect vulnerabilities to occur, we recognise that maintaining the highest standards of security is a shared responsibility. To support this, we welcome responsible reporting from customers.

If you identify a potential security vulnerability, we ask that you report it through our established Salesforce case process. This ensures your report is logged, tracked, and triaged promptly so that our Security Team can assess and address it effectively. Your report enables us to take prompt action and continue delivering secure, reliable services.

If you believe you have discovered a security vulnerability in our systems or services, we encourage you to report it to us. Please follow these guidelines when reporting a vulnerability:

1. Contact Information: Raise a security ticket by filling in your contact details and details of the security vulnerabily using the form below. This allows the matter to be triaged by the Helpdesk and sent to our Security Team.
2. Information to Include: Provide a detailed description of the vulnerability, including:

• The type of vulnerability
• The affected system or service
• Steps to reproduce the vulnerability
• Any potential impact or risk associated with the vulnerability

Upon receiving your report, we commit to the following actions:

• Acknowledgment: We will automatically receive acknowledgement of your case with an allocated reference number.
• Assessment: Our security team will assess the reported vulnerability and determine its validity and severity.
• Communication: We will keep you informed of the progress of our investigation and any actions taken to address the vulnerability at reasonable intervals depending on severity. Critical issues will be prioritised.
• Resolution: We will work to resolve the vulnerability as quickly as possible and will notify you once it has been addressed.

This policy is intended for authorised customers and their nominated users. It does not invite or authorise testing by unauthorised users or third‑parties and does not permit any activity outside normal, authorised use of Symology services.

This policy applies to vulnerabilities in Symology’s SaaS used by authorised customers, including but not limited to:

• Web applications
• Mobile applications
• Application Programming Interface

We appreciate your help in keeping our systems secure. If you discover a potential vulnerability, please follow these principles when reporting it:

• Do No Harm: Do not perform actions that could disrupt or degrade our services or compromise data (e.g., denial‑of‑service, social engineering, phishing, credential stuffing). Proofs of concept should be benign and non‑destructive.
• Respect Privacy: Do not attempt to access, modify, or delete data that does not belong to you.
• Report Responsibly: Share details of the issue with us privately and allow reasonable time for us to investigate and resolve.
• Provide Clear Information: Include enough detail for us to reproduce and understand the issue (e.g., steps taken, affected components, and any relevant screenshots or logs).
• Customer initiated penetration tests: Please share the results of any penetration tests you may carry out with Symology using the same contact procedure outlined above. Where testing might affect service, please coordinate dates and scope with us in advance.

If you are a Symology customer and report a potential security vulnerability to us in good faith, we will treat your report as a responsible disclosure. No action will be taken against customers who follow this policy, act within the normal use of our products and services, and report issues privately through our approved support channels.

We appreciate your efforts to help us maintain the security of our systems and services. Your contributions are invaluable in ensuring the safety and integrity of our offerings

Please use this form to report a vulnerability