The Synack Red Team | Synack
Synack Red Team

Join our
elite community of the
most trusted security
researchers.

Find your hacker home. We are not a bug bounty program, but instead represent a tight-knit community of skilled ethical hackers who offer support and mentorship to level up your skills. Get paid for doing what you love.

What to expect

as a Synack Red Team member

Our security researchers enjoy flexible schedules, predictable income and countless opportunities for personal and professional growth. Vulnerabilities score big payments, while checklist work through missions can earn consistent hourly payouts. Backed by top legal protection, you can safely and confidently apply your skills across our customers’ environments.

Synack curates the world’s best security researchers in five steps:

  • Resume review
  • Technical assessment
  • Background and ID verification
  • Behavioral interview
  • On-boarding and training

Commitment to Quality

Our security researchers test the limits of our customers’ networks, revealing how far a real adversary could go. More than CERTs or CVEs, we believe effective red-teaming is a mindset that takes curiosity and a collaborative spirit.

Multiple Ways to Earn

Hack in the morning and get paid that night. Researchers get paid for missions, vulnerability identification, report submissions, patch verifications and mentoring.

You’re in Control

Hack as much as you want or in your spare time from anywhere in the world with virtualized workspaces. With 52k tests executed per year, you have a consistent opportunity to grow with us.

Mentorship

We create a space for mentorship and knowledge sharing, which are force multipliers that garner better results than competition alone. You win and the customer wins.

1 0
nicolas Switzerland
nicolas
WebApp / Network / Cloud / OSINT / GDPR / AI/LLM
BattleAngel India
WebApp / API / Network / Cloud / Web3 / OSINT / AI/LLM
polygon
polygon
niden United States
WebApp / API / Cloud / K8s / iOS / Android / AI/LLM
polygon
polygon
Keep Learning Don’t give up, learn something new each day nicolas
Digital Defender As an SRT member, I use my expertise to protect the digital space and make a meaningful difference. Embracing the ever-changing technology landscape, I strive to be the ultimate digital defender. BattleAngel
Diverse Technologies Working as an SRT exposed me to more diverse technologies and hardened environments that has improved my skillset as a researcher niden

Perks

of being a member

Acropolis

We recognize researchers that produce exceptional work for our customers. Grow your career and get recognized for your achievements with Synack.

Envoy

Our mentorship program for those who have a passion for building strong hacking communities and opening doors for newcomers.

Artemis

A subcommunity of SRT who identify as women, nonbinary people or those who identify as a gender minority.

FAQ
Still have questions?
The SRT Process
View
What kind of work would I do as a Synack Red Team member?

Three types:

  • Hunt for security vulnerabilities
  • Checks for weaknesses (Missions)
  • Patch Verification

Finding vulnerabilities pays the most, but you have to find them first. There is one exception: During an hours-long Initial Launch Period, we award a payout to the best reporter for each vulnerability.
Missions are offered and snapped up quickly by SRT. Once you have one, you will earn the money guaranteed if you complete the Mission in time, and according to the rules.

View
What type of work is it?

Synack provides security work for security researchers around the world. Researchers compete on skill, speed and report quality to get their work accepted and ultimately paid. We also have missions which are payments for simpler work. Mission types included confirming or denying suspected vulnerabilities, checking for specific weaknesses in a checklist form and other special tasks.

View
How do missions work?

Missions are work that is claimed or assigned to individual SRT members. Each has a discrete payment for a specific amount of work that must be accomplished in a timely manner.

Missions do not always require finding new vulnerabilities and can take the form of going through checklists such as OWASP and NIST.

View
How do I see what targets I can hack? How do I learn about new targets?

Once on the SRT, you have access to Synack’s portal. It is an ethical hacking platform that seeks to make your hacking time efficient and lucrative. Among other features, it alerts you to new targets, helps you with recon, keeps track of your reports, tells you what has been found already and more.

View
Do I get access to all targets?

Synack ensures that there is a fair opportunity to find vulnerabilities by rotating access to targets across the SRT. This reduces the number of duplicate/wasted effort and helps manage researcher load on customer assets. The more researchers engage and participate, the more targets and opportunities they receive! For example, we may receive a requests for a small set of researchers with specific skills and experience to look at targets.

View
Do I have to find a certain number of vulnerabilities?

To remain active on the SRT, researchers must meet the minimum annual requirements set forth in the annual productivity assessment.

View
Can I publish the vulns I find on my blog?

Typically no, but you can make a request via [email protected]. Publishing is only allowed with customer approval.

View
Can I talk to customers directly?

Customers may from time to time use Synack’s messaging system to communicate with SRT members through the Synack Platform. These communications are typically regarding questions the customer has about work submitted by the SRT member. Furthermore, Synack will not share the identity of its SRT members without the SRT member’s consent, unless required by law or in connection with an investigation of potential rules violations.

View
Am I safe from being sued?

There are a number of international, federal and state cybersecurity laws, including the U.S. Computer Fraud and Abuse Act, which potentially apply to your research on the Synack Platform. We advise you to become familiar with the laws that may apply to you. Your compliance with these laws as well as Synack’s Researcher Terms of Use (Researcher TOU) and the rules of engagement (ROE) applicable to your research will reduce the risk of any lawsuit being brought against you. Reach out to the Synack team in case you have questions on the Researcher TOU or any ROE.

To protect SRT members against certain third-party claims, Synack has agreed to indemnify SRT members against claims resulting from a customer mistake in providing an incorrect scope of work to Synack. The availability of the indemnity is subject to certain terms set forth in the Researcher TOU.

View
Who are your customers?

Synack customers are often large global and government institutions. However, we have a diverse set of customers including small companies and startups.

The Payment Process
View
How can I figure out how much I get paid?

Vulnerability Operations, an internal Synack team, sets the rates for vulnerability payments. No customer sets or awards payments, so the treatment of the SRT is professional and consistent.

View
What do you pay?

A regular mission such as checking for default passwords will earn $25-50, while an ad-hoc mission can easily exceed $100+. Vulnerabilities vary based on their severity and novelty – typical $500 to several thousand dollars. Our average vulnerability payment was in the $600-$900 range in 2020, with very wide variation on individual rewards.

View
Will I become an employee of Synack?

No. You decide how much time you spend and get paid for what you accomplish. For most, hacking as an SRT member is something they do for a few hours each week. For the best SRT, a significant income can be earned, equivalent or higher than the average annual wages of most countries. SRT members are independent contractors of Synack. This will result in income reported via a 1099 form with the IRS for US SRT members and a W8BEN for non-US SRT members.

View
Do you have public bug bounty or vulnerability disclosure programs?

Synack operates responsibledisclosure.com, which has several public, unpaid programs on behalf of our customers. These are open to the public, including SRT. Synack does not operate public, bounty-paying programs to avoid creating incentives that may encourage, or cover for, less than ethical hacking.

The SRT Process
View
What kind of work would I do as a Synack Red Team member?

Three types:

  • Hunt for security vulnerabilities
  • Checks for weaknesses (Missions)
  • Patch Verification

Finding vulnerabilities pays the most, but you have to find them first. There is one exception: During an hours-long Initial Launch Period, we award a payout to the best reporter for each vulnerability.
Missions are offered and snapped up quickly by SRT. Once you have one, you will earn the money guaranteed if you complete the Mission in time, and according to the rules.

View
What type of work is it?

Synack provides security work for security researchers around the world. Researchers compete on skill, speed and report quality to get their work accepted and ultimately paid. We also have missions which are payments for simpler work. Mission types included confirming or denying suspected vulnerabilities, checking for specific weaknesses in a checklist form and other special tasks.

View
How do missions work?

Missions are work that is claimed or assigned to individual SRT members. Each has a discrete payment for a specific amount of work that must be accomplished in a timely manner.

Missions do not always require finding new vulnerabilities and can take the form of going through checklists such as OWASP and NIST.

View
How do I see what targets I can hack? How do I learn about new targets?

Once on the SRT, you have access to Synack’s portal. It is an ethical hacking platform that seeks to make your hacking time efficient and lucrative. Among other features, it alerts you to new targets, helps you with recon, keeps track of your reports, tells you what has been found already and more.

View
Do I get access to all targets?

Synack ensures that there is a fair opportunity to find vulnerabilities by rotating access to targets across the SRT. This reduces the number of duplicate/wasted effort and helps manage researcher load on customer assets. The more researchers engage and participate, the more targets and opportunities they receive! For example, we may receive a requests for a small set of researchers with specific skills and experience to look at targets.

View
Do I have to find a certain number of vulnerabilities?

To remain active on the SRT, researchers must meet the minimum annual requirements set forth in the annual productivity assessment.

View
Can I publish the vulns I find on my blog?

Typically no, but you can make a request via [email protected]. Publishing is only allowed with customer approval.

View
Can I talk to customers directly?

Customers may from time to time use Synack’s messaging system to communicate with SRT members through the Synack Platform. These communications are typically regarding questions the customer has about work submitted by the SRT member. Furthermore, Synack will not share the identity of its SRT members without the SRT member’s consent, unless required by law or in connection with an investigation of potential rules violations.

View
Am I safe from being sued?

There are a number of international, federal and state cybersecurity laws, including the U.S. Computer Fraud and Abuse Act, which potentially apply to your research on the Synack Platform. We advise you to become familiar with the laws that may apply to you. Your compliance with these laws as well as Synack’s Researcher Terms of Use (Researcher TOU) and the rules of engagement (ROE) applicable to your research will reduce the risk of any lawsuit being brought against you. Reach out to the Synack team in case you have questions on the Researcher TOU or any ROE.

To protect SRT members against certain third-party claims, Synack has agreed to indemnify SRT members against claims resulting from a customer mistake in providing an incorrect scope of work to Synack. The availability of the indemnity is subject to certain terms set forth in the Researcher TOU.

View
Who are your customers?

Synack customers are often large global and government institutions. However, we have a diverse set of customers including small companies and startups.

The Payment Process
View
How can I figure out how much I get paid?

Vulnerability Operations, an internal Synack team, sets the rates for vulnerability payments. No customer sets or awards payments, so the treatment of the SRT is professional and consistent.

View
What do you pay?

A regular mission such as checking for default passwords will earn $25-50, while an ad-hoc mission can easily exceed $100+. Vulnerabilities vary based on their severity and novelty – typical $500 to several thousand dollars. Our average vulnerability payment was in the $600-$900 range in 2020, with very wide variation on individual rewards.

View
Will I become an employee of Synack?

No. You decide how much time you spend and get paid for what you accomplish. For most, hacking as an SRT member is something they do for a few hours each week. For the best SRT, a significant income can be earned, equivalent or higher than the average annual wages of most countries. SRT members are independent contractors of Synack. This will result in income reported via a 1099 form with the IRS for US SRT members and a W8BEN for non-US SRT members.

View
Do you have public bug bounty or vulnerability disclosure programs?

Synack operates responsibledisclosure.com, which has several public, unpaid programs on behalf of our customers. These are open to the public, including SRT. Synack does not operate public, bounty-paying programs to avoid creating incentives that may encourage, or cover for, less than ethical hacking.

Apply Now!

The Synack Red Team is where you get paid to grow, collaborate and master your pentesting skills. Become a member of the most trusted community of security researchers.