At Neon, security is our highest priority. We’re committed to implementing best practices and earning the trust of our customers.
Neon is in technical preview, and vulnerabilities may be present. We’ve established a security reporting procedure to address any issues quickly. We recommend using Neon only with public or non-sensitive data at this time.
💡 Reporting issues: If you have a security concern or believe you’ve found a vulnerability in any part of our infrastructure, please contact us. Report any security concerns to [email protected] If you need to share sensitive information, we can provide you with a security contact number through Signal.
Our commitments to solving security cases:
- We will respond to your report within three business days with an evaluation and expected resolution date.
- We will handle your report with strict confidentiality and not share any personal details with third parties without your permission.
- We will keep you informed of the progress towards resolving the problem.
- Once the report has been resolved, we will credit the finding to you in our public security.txt document, unless you prefer to stay anonymous”
- If we need to access proprietary information or personal data stored in Neon to investigate or respond to a security report, we shall act in good faith and in compliance with applicable confidentiality, personal data protection, and other obligations.
We strive to resolve all problems quickly and publicize any discoveries after their resolution.
Please note that we do not have a bug bounty program, and will not pay financial bonuses or bounties for reporting bugs or vulnerability issues.
How to disclose vulnerabilities
Neon pays close attention to the proper security of its information and communication systems. Despite these efforts, it is not possible to entirely exclude the existence of security vulnerabilities.
If you identify a security vulnerability, please proceed as follows under the principle of responsible disclosure:
- Report the security vulnerability to Neon by contacting us via [email protected] Provide as much information about the security vulnerability as possible.
- Do not exploit the security vulnerability, e.g. by using it to breach data, change the data of third parties, or deliberately disrupt the availability of the service.
- All activities relating to the discovery of the security vulnerability should be performed within the framework of the law.
- Do not inform any third parties about the security vulnerability. All communication regarding the security vulnerability will be coordinated by Neon and our partners.
- If the above conditions are respected, Neon will not take any legal steps against the party that reported the security vulnerability.
- In the event of a non-anonymous report, Neon will inform the party that submitted the report of the steps it intends to take and the progress toward closing the security vulnerability.
Neon's Security Roadmap for Y2022:
Neon is undergoing internal reviews to achieve SOC2 Type 2 certification.
We will share more information about Neon's security plans on the Github soon.
Neon’s infrastructure is hosted and managed within Amazon’s secure data centers in the USA and backed by AWS Cloud Security. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. AWS data center compliance can be found here.