Please do not report security vulnerabilities through public GitHub issues.

To report a security vulnerability, email: security@syncupsuite.com

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested mitigations

You will receive an acknowledgement within 2 business days. We aim to release a fix or mitigation within 30 days for high-severity issues.

In scope:

• All production domains: syncupsuite.com, brandsyncup.com, legalsyncup.com
• Published npm packages: @syncupsuite/*
• Claude Code marketplace plugin: webplatform4sync

Out of scope:

• Third-party services (Cloudflare, Neon, Firebase, GitHub)
• Social engineering attacks
• Denial of service

We follow coordinated disclosure. We ask that you:

• Give us reasonable time to fix the issue before public disclosure
• Not access or modify data that does not belong to you
• Not perform actions that could degrade service availability

We will credit researchers in release notes unless they request anonymity.