← nodesyn.com  /  Security
Security
Last updated: May 2026  ·  NodeSyn is an independent software product

Found a vulnerability? Report it responsibly to security@nodesyn.com before any public disclosure. We acknowledge within 5 business days and work with you in good faith.

Our Security Model

NodeSyn is self-hosted software — your security posture is primarily in your hands. We build the software with security as a first principle; you control the server it runs on, the network it lives in, and who has access to it.

What NodeSyn Implements

  • AES-256 encrypted communications — all agent-to-server traffic is encrypted
  • No cloud data transmission — your monitoring data never leaves your server under any circumstances
  • bcrypt password hashing — dashboard credentials are bcrypt-hashed and stored locally on your server
  • HMAC-signed license cache — the local license cache is cryptographically signed to detect tampering
  • HMAC-signed agent grace files — signed with a machine-specific key to prevent spoofing
  • SHA-256 verified updates — all server and agent update packages are hash-verified before being applied
  • Full audit log — every admin action is logged with timestamp, user account, and target node
  • Role-based access control — Admin, Technician, and Viewer roles with distinct permission levels
  • SSL/HTTPS support — bring your own certificate for fully encrypted dashboard access over your domain
  • Session management — sessions expire automatically and can be invalidated manually

Your Responsibilities

  • Run NodeSyn on a properly firewalled Windows server
  • Restrict dashboard port access to authorised networks and IP ranges
  • Use a strong, unique admin password — never reuse passwords
  • Enable SSL in Settings → SSL/HTTPS before exposing the dashboard over the internet
  • Keep Windows fully updated on your NodeSyn server machine
  • Back up your NodeSyn data directory on a regular schedule
  • Review the audit log periodically for unexpected activity
  • Restrict which team members have Admin vs Technician vs Viewer access

Recommended Network Configuration

  • Do not expose the NodeSyn dashboard port directly to the internet without SSL and a reverse proxy
  • Consider placing NodeSyn behind a VPN for internal access
  • Use firewall rules to restrict inbound access to the dashboard port to known IP ranges
  • Agents communicate outbound to your server — no inbound ports need to be opened on agent machines

Responsible Disclosure Policy

If you discover a security vulnerability in NodeSyn software or infrastructure, we ask that you:

  • Email security@nodesyn.com with full details before any public or third-party disclosure
  • Give us a minimum of 30 days to investigate, develop a fix, and release an update
  • Not exploit the vulnerability beyond what is strictly necessary to demonstrate its existence
  • Not access, modify, or exfiltrate data that does not belong to you during your research
  • Not disclose vulnerability details to other parties during the disclosure window

We will acknowledge your report within 5 business days, keep you informed of progress, and credit you by name in release notes if you wish. We do not currently operate a paid bug bounty programme but we genuinely appreciate responsible disclosure and treat every report seriously.

Contact

Security reports: security@nodesyn.com
General enquiries: info@nodesyn.com