Cyntech — Holistic Engineering Solutions
Security

Vulnerability Disclosure

Effective 5 June 2026. We welcome reports from researchers acting in good faith. This policy sets out the rules of engagement, what's in scope and how we'll respond.

1. Reporting a vulnerability

Email security@cyntech.co.za with:

  • A clear description of the issue and its impact.
  • Steps to reproduce, including affected URL(s), payloads and timestamps.
  • Proof-of-concept artefacts (screenshots, requests, video).
  • Your contact details and whether you wish to be credited.

We support PGP-encrypted reports on request. Our security.txt is the canonical machine-readable contact.

2. Our commitments

  • Acknowledgement within 3 business days.
  • Triage outcome within 10 business days.
  • Status updates at least every 14 days while the issue is open.
  • Remediation target: Critical < 7 days · High < 30 days · Medium < 90 days.
  • Credit in our security acknowledgements on request, after the fix is shipped.

3. Safe harbour

If you make a good-faith effort to comply with this policy during your research, we will:

  • Consider your testing authorised under the Cybercrimes Act 19 of 2020 and the Computer Fraud & Abuse Act (US) and equivalent laws.
  • Not pursue or support any legal action against you.
  • Work with you to understand and resolve the issue quickly.

We cannot authorise testing on third-party systems, infrastructure operated by our customers, or anything that breaks applicable law.

4. In scope

  • cyntech.io and www.cyntech.io
  • The client portal (authenticated areas under /portal) using accounts you legitimately own
  • API and server functions exposed by the above

5. Out of scope

  • Findings from automated scanners without a working proof-of-concept.
  • Denial-of-service, volumetric, brute-force or social-engineering attacks.
  • Issues affecting only outdated browsers or unsupported platforms.
  • Missing security headers without a demonstrable exploit.
  • Customer-controlled tenants, content or integrations.
  • Physical attacks, attacks on our staff, or third-party services we do not operate.

6. Rules of engagement

  • Use only accounts you own or have explicit permission to test.
  • Stop and report immediately if you access data that is not yours; do not download, retain or share it.
  • Do not modify, delete or exfiltrate data.
  • Do not publicly disclose the issue until we confirm it is remediated, or 90 days from triage acknowledgement, whichever is sooner — coordinated disclosure.

7. Contact

Security team
Email: security@cyntech.co.za
Trust centre: cyntech.io/trust