Neo4j Responsible Disclosure Policy
Have you found a security issue? Tell us about it!
We have a strategic approach to trust, in which security of the products and services play an integral part. We design, build and operate with security in mind. Despite this, we are aware of the fact that errors, mistakes, or even new research uncovering previously unknown risks, will always be part of the threat-landscape. Should you identify an issue, we would like to hear about it to be able to correct the problem as soon as possible.
How to reach us
Send an email to security@neo4j.com. To protect the communication between us, we prefer that you use our PGP Key
When emailing us, make sure to include the following information for us to be able to respond quicker:
- Detailed description of the vulnerability.
- How to reproduce the issue.
- If relevant, any screenshots or other documentation that help us to resolve the issue quicker.
- Contact information we can use to reach you. If you have a PGP key, link to it as well.
What you can expect from us
We will confirm with you that we have received your report as soon as reasonably possible, and aim to keep you informed on the progress of validation and mitigation.
Once the vulnerability is remediated, we will notify you and invite you to confirm that the solution covers the vulnerability adequately.
Neo4j is currently not running an active bug bounty program, so claims of compensation for reporting will not be accepted. To validate efforts, we will offer to credit your finding on a public list of acknowledgements.
What we can expect from you
In upholding the responsible disclosure practice, we expect that you to:
- Don't break any applicable laws or regulations
- Don’t exploit potential vulnerabilities to access restricted information.
- Don’t modify or remove information.
- Don't use high-intensity invasive or destructive scanning tools to find vulnerabilities.
- Don’t affect the availability by denial of service attacks.
- Don't submit trivial issues, such as non-sensitive mis-configurations e.g missing cookie flags.
- Don't do social engineering, phishing, or similar attacks targeting Neo4j personnel and customers.
- Report any found potential vulnerabilities to us first, and allow us time to evaluate and mitigate before going public with it.
Acknowledgement
A big thank you to the following people for helping us keep our site and products safe and secure:
| Christopher Ellis | |
| Nick Gonella | @handled_sigint |
| Aaditya Kumar Sharma | @Assass1nmarcos |
| Gourab Sadhukhan | |
| Phoenix Whitehat | @PhoenixMantis |
| Anurag Jain | csanuragjain |
| Julien Cretel | @jub0bs |
| Sohail Ahmed | |
| Nicolai Grødum | |
| Pritam Dash | |
| Faizan Ahmed | |
| Gaurang Maheta | |
| Ngo Wei Lin | @Creastery of @starlabs_sg |
| Or Sahar | |
| Adam Reziouk - Airbus | |
| Christopher Schneider – State Farm | |
| Taha Barhaam | @TahaBarhaam |
| Ranjeet Kumar Singh |