Join our
elite community of the
most trusted security
researchers.

Three types:

• Hunt for security vulnerabilities
• Checks for weaknesses (Missions)
• Patch Verification

Finding vulnerabilities pays the most, but you have to find them first. There is one exception: During an hours-long Initial Launch Period, we award a payout to the best reporter for each vulnerability.
Missions are offered and snapped up quickly by SRT. Once you have one, you will earn the money guaranteed if you complete the Mission in time, and according to the rules.

Synack provides security work for security researchers around the world. Researchers compete on skill, speed and report quality to get their work accepted and ultimately paid. We also have missions which are payments for simpler work. Mission types included confirming or denying suspected vulnerabilities, checking for specific weaknesses in a checklist form and other special tasks.

Missions are work that is claimed or assigned to individual SRT members. Each has a discrete payment for a specific amount of work that must be accomplished in a timely manner.

Missions do not always require finding new vulnerabilities and can take the form of going through checklists such as OWASP and NIST.

Once on the SRT, you have access to Synack’s portal. It is an ethical hacking platform that seeks to make your hacking time efficient and lucrative. Among other features, it alerts you to new targets, helps you with recon, keeps track of your reports, tells you what has been found already and more.

Synack ensures that there is a fair opportunity to find vulnerabilities by rotating access to targets across the SRT. This reduces the number of duplicate/wasted effort and helps manage researcher load on customer assets. The more researchers engage and participate, the more targets and opportunities they receive! For example, we may receive a requests for a small set of researchers with specific skills and experience to look at targets.

To remain active on the SRT, researchers must meet the minimum annual requirements set forth in the annual productivity assessment.

Typically no, but you can make a request via [email protected]. Publishing is only allowed with customer approval.

Customers may from time to time use Synack’s messaging system to communicate with SRT members through the Synack Platform. These communications are typically regarding questions the customer has about work submitted by the SRT member. Furthermore, Synack will not share the identity of its SRT members without the SRT member’s consent, unless required by law or in connection with an investigation of potential rules violations.

There are a number of international, federal and state cybersecurity laws, including the U.S. Computer Fraud and Abuse Act, which potentially apply to your research on the Synack Platform. We advise you to become familiar with the laws that may apply to you. Your compliance with these laws as well as Synack’s Researcher Terms of Use (Researcher TOU) and the rules of engagement (ROE) applicable to your research will reduce the risk of any lawsuit being brought against you. Reach out to the Synack team in case you have questions on the Researcher TOU or any ROE.

To protect SRT members against certain third-party claims, Synack has agreed to indemnify SRT members against claims resulting from a customer mistake in providing an incorrect scope of work to Synack. The availability of the indemnity is subject to certain terms set forth in the Researcher TOU.

Synack customers are often large global and government institutions. However, we have a diverse set of customers including small companies and startups.

Vulnerability Operations, an internal Synack team, sets the rates for vulnerability payments. No customer sets or awards payments, so the treatment of the SRT is professional and consistent.

A regular mission such as checking for default passwords will earn $25-50, while an ad-hoc mission can easily exceed $100+. Vulnerabilities vary based on their severity and novelty – typical $500 to several thousand dollars. Our average vulnerability payment was in the $600-$900 range in 2020, with very wide variation on individual rewards.

No. You decide how much time you spend and get paid for what you accomplish. For most, hacking as an SRT member is something they do for a few hours each week. For the best SRT, a significant income can be earned, equivalent or higher than the average annual wages of most countries. SRT members are independent contractors of Synack. This will result in income reported via a 1099 form with the IRS for US SRT members and a W8BEN for non-US SRT members.

Synack operates responsibledisclosure.com, which has several public, unpaid programs on behalf of our customers. These are open to the public, including SRT. Synack does not operate public, bounty-paying programs to avoid creating incentives that may encourage, or cover for, less than ethical hacking.