Security reporting
We have established the following security reporting procedure to address security issues quickly.
important
If you have a security concern or believe you have found a vulnerability in any part of our infrastructure, please contact us at security@neon.tech. If you need to share sensitive information, we can provide you with a security contact number through Signal.
Our commitment to solving security issues
- We will respond to your report within three business days with an evaluation and expected resolution date.
- We will handle your report with strict confidentiality and not share any personal details with third parties without your permission.
- We will keep you informed of the progress towards resolving the problem.
- After the report has been resolved, we will credit the finding to you in our public
security.txt
document, unless you prefer to stay anonymous. - If we need to access proprietary information or personal data stored in Neon to investigate or respond to a security report, we shall act in good faith and in compliance with applicable confidentiality, personal data protection, and other obligations.
We strive to resolve all problems quickly and publicize any discoveries after their resolution.
Neon does not have a bug bounty program and does not pay financial bonuses or bounties for reporting bugs or vulnerability issues.
How to disclose vulnerabilities
Neon pays close attention to the proper security of its information and communication systems. Despite these efforts, it is not possible to entirely exclude the existence of security vulnerabilities.
If you identify a security vulnerability, please proceed as follows under the principle of responsible disclosure:
- Report the security vulnerability to Neon by contacting us at security@neon.tech. Provide as much information about the security vulnerability as possible.
- Do not exploit the security vulnerability; for example, by using it to breach data, change the data of third parties, or deliberately disrupt the availability of the service.
- All activities relating to the discovery of the security vulnerability should be performed within the framework of the law.
- Do not inform any third parties about the security vulnerability. All communication regarding the security vulnerability will be coordinated by Neon and our partners.
- If the above conditions are respected, Neon will not take any legal steps against the party that reported the security vulnerability.
- In the event of a non-anonymous report, Neon will inform the party that submitted the report of the steps it intends to take and the progress toward closing the security vulnerability.