Vulnerability Reporting

If you find a security issue, please report it privately. Do not open public issues for active vulnerabilities.

Guidelines

• Include reproduction steps and affected versions if possible.
• Provide logs only if they don’t contain secrets.
• Allow reasonable time for a fix before public disclosure.

Protect Your Rulebase

• Do not store credentials in `.synapse/` rules.
• Keep secrets in environment variables or a secret manager.
• Review generated outputs before committing to your repo.

License Key Safety

• The VS Code extension stores your license key using VS Code SecretStorage.
• Checkout key retrieval uses a per-checkout access token passed in the URL fragment (not sent as a referrer).
• License validation is server-side and enforces “1 key = 1 machine” using an instance id.
• We avoid logging full license keys or secrets in server logs.

Contact

Email: admin@labs-synapse.com