Neo4j Responsible Disclosure Policy

Have you found a security issue? Tell us about it!

We have a strategic approach to trust, in which security of the products and services play an integral part. We design, build and operate with security in mind. Despite this, we are aware of the fact that errors or new research uncovering previously unknown risks, will always be part of the threat landscape. Should you identify an issue, we would like to hear about it to be able to correct the problem as soon as possible.

Reporting vulnerabilities

Send an email to security@neo4j.com. To protect the communication between us, we prefer that you use our PGP Key

When emailing us, make sure to include the following information for us to be able to respond quicker:

  • Detailed description of the vulnerability, including detailed information about the target system.
  • How to reproduce the issue.
  • If relevant, any screenshots or other documentation that help us to resolve the issue quicker.
  • Contact information we can use to reach you. If you have a PGP key, link to it as well.

What you can expect from us

We will confirm with you that we have received your report as soon as reasonably possible, and aim to keep you informed on the progress of validation and mitigation.

Once the vulnerability is remediated, we will notify you and invite you to confirm that the solution covers the vulnerability adequately.

Neo4j is currently not running an active bug bounty program, so claims of compensation for reporting will not be accepted. To validate efforts, we will offer to credit your finding on a public list of acknowledgements. acknowledgments. If you are interested in being credited, please let us know explicitly in your report, and provide the following details:

  • Your name or an alias that you want to see on the acknowledgement
  • (Optional) LinkedIn or GitHub link
  • (Optional) The name of the organisation you want to be credited
CVE assignment

Should the finding be in Neo4j scope as a CNA authority and warrant a CVE record, one will be created and curated by Neo4j. All records are tracked here.

CVE disputes

As a reporter of the vulnerability, you may dispute our ruling on the status of it, or the tracking CVE. If so the following process will be followed by us:

  1. when receiving a CVE dispute, we will evaluate the argument based on the provided data.
  2. the dispute is acknowledged
  3. Neo4j follows the CVE Program CNA Operational rules to make decisions on reported vulnerabilities and CVE record management.

If as a reporter, you do not agree with the assessment that Neo4j has made on a reported vulnerability when a CVE has not been assigned or an assigned CVE has been rejected, you may let us know through security@neo4j.com. We’ll follow the CVE Program Policy and Procedure for Disputing a CVE Record to handle the resolution of this dispute within our scope as a CNA.

Neo4j will be open to negotiating any disputes and reconsider our position on previous assessments if enough evidence and information is provided by the reporter.

What we expect from you

In upholding the responsible disclosure practice, we expect that you to:

  • Don't break any applicable laws or regulations
  • Don’t exploit potential vulnerabilities to access restricted information
  • Don’t modify or remove information
  • Don't use high-intensity invasive or destructive scanning tools to find vulnerabilities
  • Don’t affect the availability by denial of service attacks
  • Don't submit trivial issues (see examples below
  • Don't execute social engineering, phishing, or similar attacks targeting Neo4j personnel and/or customers
  • Report any found potential vulnerabilities to us first, and allow us time to evaluate and mitigate before going public with it
Examples of issues we consider trivial and out of scope
  • Vulnerabilities requiring physical access to the victim’s unlocked computer or device; pre-existing root/system privileges or MITM on the victim’s computer or device
  • Account enumeration attacks
  • Attacks targeting outdated or obscure browsers
  • Insecure cookie settings/flags on non-sensitive cookies
  • Weak SSL/TLS algorithms, protocols, or cyphers
  • CSRF with no security impact (unathenticated/login/logout CSRF)
  • Best practices deviation (password complexity, expiration, re-use etc)
  • Clickjacking on pre-authenticated pages, lack of anti-clickjacking headers, or other non-exploitable clickjacking issues
  • Known vulnerable libraries without a novel and working Proof of Concept
  • Reflected file download
  • Content spoofing and text injection issues without being able to modify HTML/CSS
  • Homograph links
  • Bypassing rate limits or the non-existence of rate limits that have no platform impact (don’t execute DoS to “prove” impact!)
  • Exposure of internal domains on public domains
  • Vulnerabilities only affecting users of outdated or unpatched versions, or installations where the configuration is weakened from the default out of the box options
  • Out of date software or libraries
  • Any issues related to credential stuffing and account takeover
  • Spam or social engineering techniques
  • Deviation from best practices, information disclosures, verbose or unique error pages, stack traces (without substantive proof of concept of exploitability)
  • HTTP TRACE or OPTIONS methods enabled
  • Lack of security-related headers
  • Self-XSS and issues exploitable only through self-XSS
  • Bugs that do not represent security risk
  • Opinions on design/architecture
  • Hardcoded API keys in applications (without substantive demonstration of significant risk)
  • Attacks that rely on presenting the user with fake UI that is visually identical to Neo4j UI
  • Any other submissions determined to be low risk, based on unlikely hypothetical attack vectors, requiring significant user interaction, or resulting in minimal impact

Acknowledgement

A big thank you to the following people for helping us keep our site and products safe and secure:

Christopher Ellis LinkedIn
Nick Gonella @handled_sigint
Aaditya Kumar Sharma @Assass1nmarcos
Gourab Sadhukhan LinkedIn
Phoenix Whitehat @PhoenixMantis
Anurag Jain @csanuragjain
Julien Cretel @jub0bs
Sohail Ahmed LinkedIn
Nicolai Grødum LinkedIn
Pritam Dash LinkedIn
Faizan Ahmed LinkedIn
Gaurang Maheta LinkedIn
Ngo Wei Lin @Creastery of @starlabs_sg
Or Sahar LinkedIn
Adam Reziouk - Airbus LinkedIn
Christopher Schneider – State Farm  
Taha Barhaam @TahaBarhaam
Ranjeet Kumar Singh Email