Neo4j Responsible Disclosure Policy

Have you found a security issue? Tell us about it!

We have a strategic approach to trust, in which security of the products and services play an integral part. We design, build and operate with security in mind. Despite this, we are aware of the fact that errors, mistakes, or even new research uncovering previously unknown risks, will always be part of the threat-landscape. Should you identify an issue, we would like to hear about it to be able to correct the problem as soon as possible.

How to reach us

Send an email to security@neo4j.com. To protect the communication between us, we prefer that you use our PGP Key

When emailing us, make sure to include the following information for us to be able to respond quicker:

  • Detailed description of the vulnerability.
  • How to reproduce the issue.
  • If relevant, any screenshots or other documentation that help us to resolve the issue quicker.
  • Contact information we can use to reach you. If you have a PGP key, link to it as well.

What you can expect from us

We will confirm with you that we have received your report as soon as reasonably possible, and aim to keep you informed on the progress of validation and mitigation.

Once the vulnerability is remediated, we will notify you and invite you to confirm that the solution covers the vulnerability adequately.

Neo4j is currently not running an active bug bounty program, so claims of compensation for reporting will not be accepted. To validate efforts, we will offer to credit your finding on a public list of acknowledgements.

What we can expect from you

In upholding the responsible disclosure practice, we expect that you to:

  • Don't break any applicable laws or regulations
  • Don’t exploit potential vulnerabilities to access restricted information.
  • Don’t modify or remove information.
  • Don't use high-intensity invasive or destructive scanning tools to find vulnerabilities.
  • Don’t affect the availability by denial of service attacks.
  • Don't submit trivial issues, such as non-sensitive mis-configurations e.g missing cookie flags.
  • Don't do social engineering, phishing, or similar attacks targeting Neo4j personnel and customers.
  • Report any found potential vulnerabilities to us first, and allow us time to evaluate and mitigate before going public with it.

Acknowledgement

A big thank you to the following people for helping us keep our site and products safe and secure:

Christopher Ellis LinkedIn
Nick Gonella @handled_sigint
Aaditya Kumar Sharma @Assass1nmarcos
Gourab Sadhukhan LinkedIn
Phoenix Whitehat @PhoenixMantis
Anurag Jain @csanuragjain
Julien Cretel @jub0bs
Sohail Ahmed LinkedIn
Nicolai Grødum LinkedIn
Pritam Dash LinkedIn
Faizan Ahmed LinkedIn
Gaurang Maheta LinkedIn
Ngo Wei Lin @Creastery of @starlabs_sg
Or Sahar LinkedIn
Adam Reziouk - Airbus LinkedIn
Christopher Schneider – State Farm  
Taha Barhaam @TahaBarhaam
Ranjeet Kumar Singh Email