Security

Security should be documented like a product feature, not buried like a disclaimer.

This page exists so store visitors, users, and reviewers have a clear place to find security posture and report issues.

Current posture

What matters most today

  • Synapse is built on Manifest V3 and keeps core data local where possible.
  • Security-sensitive flows should be explained alongside the permissions and integrations they require.
  • Some known review areas still exist, including token handling and broad capability review.
  • Security claims should not outrun the actual implementation.
Disclosure

How to report an issue

  • Email support@synapsetools.co with subject line Security Report.
  • Include a clear summary, affected product, steps to reproduce, and impact.
  • Please avoid public disclosure until the report is acknowledged and reviewed.
  • Use encrypted or access-controlled sharing for sensitive proof material when possible.
Release discipline

Before public release

  • Re-check permission scope against current feature reality.
  • Run syntax, contract, safety, and smoke checks.
  • Keep privacy, support, and listing copy aligned with the shipped build.
Security docs

Should stay current

  • Security contact path.
  • Known limitations and risk areas.
  • Release-relevant changes when security posture shifts.