Vulnerability Disclosure

At Synchrony, we take the security of our online platforms very seriously. We understand that users may identify or come across security vulnerabilities while using our services or sites, and we encourage them to report these vulnerabilities to us in a responsible and lawful manner. Thank you in advance for your submission. Please note, Synchrony does not operate a public bug bounty program and we make no offer of reward or compensation in exchange for submitting potential issues.

Vulnerability Disclosure Program Guidelines:

Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:

  • Do not engage in any activity that can potentially or actually cause harm to Synchrony, our customers, or our employees.
  • Do not engage in any activity that can potentially or actually stop or degrade Synchrony services or assets.
  • Do not engage in any activity that violates (a) federal or state laws or regulations or (b) the laws or regulations of any country where (i) data, assets or systems reside, (ii) data traffic is routed or (iii) the researcher is conducting research activity.
  • No automated scanning or testing.
  • Do not store, share, compromise or destroy Synchrony or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Synchrony. This step protects any potentially vulnerable data, and you.
  • Do not initiate a fraudulent financial transaction.

Do not perform any of the following actions;

  • Access, download or modify data that does not belong to you.
  • Attempt or execute any Denial-of-Service attack (DOS)
  • Post, transmit, upload, link to, send, or store any malicious software.
  • Conduct testing that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of unsolicited messages.
  • Social engineering of any Synchrony employee, contractor, client, or prospective client.
  • Conduct testing that would degrade the operation of any Synchrony system.
  • Conduct testing on any third-party applications, websites, or services that integrate with or link to Synchrony systems.
  • Threatening or trying to extort Synchrony concerning the vulnerability.

By responsibly submitting your findings to Synchrony in accordance with these guidelines Synchrony agrees not to pursue legal action against you. Synchrony reserves all legal rights in the event of noncompliance with these guidelines.

Reporting:

We urge security researchers/customers/users to share information about any suspected vulnerabilities with the Synchrony Information Security Team. When reporting a potential vulnerability, please include a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (screen captures welcome). Report a security issue to the Synchrony security team using the form below.

Our Commitment:

Once a report is submitted, Synchrony commits to provide prompt acknowledgement of receipt of all reports (within three business days of submission) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.

Responses and communication regarding submissions may come from Bugcrowd. This Vulnerability Disclosure Program does not include monetary award or bounty.