1. SynergyXR Knowledge Base
  2. SynergyXR Security and Connectivity

Do you perform periodic vulnerability scans?

This IT Security Assessment Report provides an overview of the security posture of SynergyXR's systems based on a series of scans and evaluations.

Introduction

Purpose

The purpose of this IT Security Assessment Report is to provide an overview of the security posture of our systems based on a series of scans and evaluations. By using industry-standard tools, including SSL Labs for SSL/TLS configuration analysis, Security Headers for HTTP header evaluations, and various penetration testing utilities, we aim to highlight key areas of strength and identify any potential areas for improvement. 
This report aims to give our customers transparency and assurance regarding the security measures we have in place to protect their data and interactions with our services.

Scope

The scope of this IT Security Assessment are all online endpoints of the SynergyXR solution. This includes the web application SynergyXR Manager (https://portal.synergyxr.com/) as well as the underlying Azure-based infrastructure of our content backend.

Audience

The target audience of this IT Security Assessment Report is IT professionals, network administrators, business owners, technical leads, asset owners, and general users at our end-users who are interested in the security posture of SynergyXR.

Improvement

SynergyXR are committed to continuous improvement of the IT security offered by the SynergyXR  platform. As new relevant tools are identified, the result of these will be added to the test suite to give  as complete a picture of the security state as possible.

New scans will be performed quarterly, or upon request by individual customers. The latest report will always be available online for customers to download and assess

Online Tool Suite

SSL Labs Report

We utilize the online SSL Server Test to perform a deep analysis of the configuration of our SSL web server. The tool is free and can be accessed from: https://www.ssllabs.com/ssltest/.
A high score in the Qualys SSL Labs report is important to us because it demonstrates our commitment to strong encryption, ensuring the security of our customers' data and reinforcing trust in our product's reliability.

The screenshot below shows the summary of the test. Please see the attached full report: 
1.1_qualys_ssl_labs_report_20250324.pdf.

Security Headers Report

We utilize the tool SecurityHeaders.com (https://securityheaders.com/) to evaluate our website’s HTTP security headers, which help protect against common vulnerabilities. A strong score is important to us as it shows our dedication to secure web practices, safeguarding user data and reinforcing trust in our platform's safety.

The screenshot below shows the summary of the test. Please see the attached full report: 
1.2_security_headers_report_20250324.pdf.

Mozilla MDN Observatory Report

Launched in 2016, the HTTP Observatory (https://developer.mozilla.org/en-US/observatory) enhances web security by analyzing compliance with best security practices. It has provided insights to over 6.9 million websites through 47 million scans.

The screenshot below shows a summary of the security scan report. Please see the attached full report: 1.3_mdn_report_20250324.pdf

Pentest Tools Automatic Report

The Pentest Tools report (https://pentest-tools.com/usage/pentest-reporting-tool) scans for 
vulnerabilities in web applications and networks, identifying potential security risks. Trusted by highprofile companies like Vodafone and ROLEX, using this tool is important to us as it validates our security efforts and ensures we proactively address threats, further building trust with our customers.

The screenshot below shows a summary of the report. Please see the attached full report: 
1.4_pentest_tools-20250324-1000.pdf

Certified Security Engineers

This is a list of the certifications held by our Azure security-certified engineers. We strive to always have qualified personnel overseeing security

NuGet Packages Used

We want to have full transparency regarding the libraries and packages we use to help our partners assess potential risks.

  • AspNetCore.Proxy - Version 4.4.0
  • Azure.Messaging.EventGrid - Version 4.21.0
  • Azure.Storage.Blobs - Version 12.16.0
  • IdentityModel - Version 5.1.0
  • IdentityModel.AspNetCore - Version 3.0.0
  • IdentityModel.OidcClient - Version 4.0.0
  • Microsoft.ApplicationInsights.AspNetCore - Version 2.22.0
  • Microsoft.AspNetCore.Authentication.OpenIdConnect - Version 6.0.12
  • Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation - Version 6.0.12
  • Microsoft.AspNetCore.SpaServices.Extensions - Version 3.1.30
  • Microsoft.Extensions.Logging.AzureAppServices - Version 5.0.10
  • Microsoft.VisualStudio.Web.BrowserLink - Version 2.2.0
  • Microsoft.VisualStudio.Web.CodeGeneration.Design - Version 6.0.11
  • NWebsec.AspNetCore.Middleware - Version 3.0.0
  • RestSharp - Version 112.1.0
  • UAParser - Version 3.1.47
  • glTF2Loader - Version 1.1.4-alpha

A vulnerability check reveals that none of these packages have vulnerabilities. The given project "UnityStudios.Synergy.WebPortal" has no vulnerable packages given the current sources.

Compliance and Best Practices

We are committed to maintaining high standards of security and compliance. As part of our ongoing efforts, we are currently implementing the ISMS ISO/IEC 27001:2022 framework to establish a robust Information Security Management System. This framework will guide our practices in risk management, data protection, and compliance with industry standards, ensuring that we consistently safeguard our customers' information and uphold their trust.

Regular Security Practices

Our regular security practices are designed to ensure a proactive approach to safeguarding our 
applications and data. We follow the principle of least privilege, ensuring that users and systems have only the permission necessary to perform their tasks, minimizing potential security risks. We are also committed to following OWASP guidelines, regularly reviewing our code and applications for common vulnerabilities and security weaknesses. This includes conducting code reviews, implementing automated testing for security, and maintaining an ongoing process for identifying and addressing vulnerabilities. By integrating these practices into our development lifecycle, we enhance our overall security posture and protect our customers’ sensitive information.