At Neon, security is our highest priority. We are committed to implementing best practices and earning the trust of our users.
Neon is currently in Technical Preview, and vulnerabilities may be present. We have established a security reporting procedure to address security issues quickly. We recommend using Neon only with public or non-sensitive data at this time.
Our commitment to solving security issues
- We will respond to your report within three business days with an evaluation and expected resolution date.
- We will handle your report with strict confidentiality and not share any personal details with third parties without your permission.
- We will keep you informed of the progress towards resolving the problem.
- Once the report has been resolved, we will credit the finding to you in our public
security.txtdocument, unless you prefer to stay anonymous.
- If we need to access proprietary information or personal data stored in Neon to investigate or respond to a security report, we shall act in good faith and in compliance with applicable confidentiality, personal data protection, and other obligations.
We strive to resolve all problems quickly and publicize any discoveries after their resolution.
Neon does not have a bug bounty program and does not pay financial bonuses or bounties for reporting bugs or vulnerability issues.
How to disclose vulnerabilities
Neon pays close attention to the proper security of its information and communication systems. Despite these efforts, it is not possible to entirely exclude the existence of security vulnerabilities.
If you identify a security vulnerability, please proceed as follows under the principle of responsible disclosure:
- Report the security vulnerability to Neon by contacting us at firstname.lastname@example.org. Provide as much information about the security vulnerability as possible.
- Do not exploit the security vulnerability; for example, by using it to breach data, change the data of third parties, or deliberately disrupt the availability of the service.
- All activities relating to the discovery of the security vulnerability should be performed within the framework of the law.
- Do not inform any third parties about the security vulnerability. All communication regarding the security vulnerability will be coordinated by Neon and our partners.
- If the above conditions are respected, Neon will not take any legal steps against the party that reported the security vulnerability.
- In the event of a non-anonymous report, Neon will inform the party that submitted the report of the steps it intends to take and the progress toward closing the security vulnerability.
Secure data centers
Neon’s infrastructure is hosted and managed within Amazon’s secure data centers backed by AWS Cloud Security. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. For information about AWS data center compliance programs, refer to AWS Compliance Programs.
Neon's security roadmap for 2023
Neon is undergoing internal reviews to achieve SOC2 Type 2 certification.
We will share more information about Neon's security plans on GitHub soon.