Through this responsible disclosure policy, we want to encourage Neo4j users and independent security researchers to contact us in private in order to report security vulnerabilities and issues related to our products and hosted services.

We welcome all input that helps us identify and mitigate any potential error, weakness or vulnerability and we aim to properly recognize your efforts to help us ensure the security of our products. To protect our users, we would like to be the first and single point of contact when a vulnerability in our products is found.

This email address is to be used as the main communication point for the reporting of security vulnerabilities and the coordination of investigations that will follow. Regular bug reporting or other security related queries can be sent through other Neo4j established communication channels.

Please include the following information in your report:

  • Name/nickname you’d like to be called
  • Neo4j version and/or module version in scope
  • Steps necessary to reproduce the issue from scratch. As detailed as possible
  • When did you first come across the vulnerability
  • (Optional) Common Vulnerability Information (i.e. CVE,CWE), if applicable
  • (Optional) Any patch proposals

The public key ID is: A7A66BE6 0A24CE10

The public key fingerprint is : D4FD 735E 618E 3CF9 9D89 0E3E A7A6 6BE6 0A24 CE10

It can also be obtained from public key servers (i.e. under the uid: Neo4j <>.

What to expect from Neo4j:

  • Triage the report and determine if a more in-depth investigation is needed. Reply back and collaborate with the issuer throughout the process.
  • Immediately assign the relevant personnel in the investigation process and work towards applying a patch within a reasonable timeframe. The amount of time required for this step depends a lot on the severity and complexity of the issue.
  • Personally thank you and publicly recognize your contribution to protecting the graph ecosystem when a fix for the security bug is issued.