Security and Responsible Disclosure
Neuron7, Inc. ("Neuron7," "we," "us," or "our") takes the security of the www.neuron7.ai website (the "Site") seriously. This page explains how to report a potential security issue and the guidelines we ask researchers to follow. It supplements our Terms of Use and Privacy Policy.
1. Trust Center
Authoritative security documentation — including our certifications, security controls, subprocessors, and security questionnaires — is maintained through the Neuron7 Trust Center. Please refer to the Trust Center for our current security posture and compliance artifacts. This page covers only how to report security issues affecting the Site.
2. Reporting a vulnerability
If you believe you have discovered a security vulnerability affecting the Site, please report it to us at:
Please include enough information for us to reproduce and validate the issue, such as a description of the vulnerability, the affected URL or component, and the steps to reproduce it. We will acknowledge legitimate reports and work to validate and address confirmed issues.
3. Guidelines for testing
When investigating or reporting a security issue, we ask that you:
- Make a good-faith effort to avoid privacy violations, data destruction, and degradation or interruption of the Site.
- Do not access, modify, download, or delete data that does not belong to you, and only interact with accounts you own or have explicit permission to test.
- Do not use social engineering, phishing, physical attacks, or denial-of-service techniques.
- Do not run automated scanning at a volume that could degrade or disrupt the Site.
- Give us a reasonable opportunity to investigate and remediate the issue before disclosing it publicly, and do not disclose details to any third party without our consent.
- Comply with all applicable laws.
4. Safe harbor
If you make a good-faith effort to comply with this page during your security research, we will consider your testing to be authorized, will work with you to understand and resolve the issue promptly, and will not pursue or support legal action against you in connection with your report. This safe harbor does not apply to activity that is malicious, that violates the law, or that compromises the privacy or safety of others or the availability of the Site. If legal action is initiated by a third party against you for activities conducted in accordance with this page, we will make our authorization known.
5. Bug bounty and rewards
We operate a bug bounty program and may offer rewards to researchers who responsibly report qualifying vulnerabilities in accordance with this page. Rewards are granted at Neuron7's sole discretion, and the amount (if any) is determined based on a number of factors, including:
- The severity and exploitability of the issue and the level of access it could provide.
- The potential impact, including any risk of data loss, exposure, or unauthorized access to data.
- Whether the issue is novel or has already been reported by another researcher (only the first eligible report of a given issue is considered for a reward).
- Whether the issue is already known to us, is already being addressed, or has been previously disclosed.
- The quality and completeness of the report, including clear reproduction steps that help us validate and remediate the issue.
- Whether the report and any testing complied with the guidelines and safe harbor described on this page.
Issues that are out of scope, duplicates, previously known, low or no security impact, or that result from activity violating this page are generally not eligible for a reward. With your permission, we are also happy to acknowledge researchers who responsibly report valid issues. Eligibility and reward determinations are final.
Examples of findings generally considered out of scope
Examples of findings that are generally not eligible for rewards include:
- Missing or recommended security headers without demonstrable exploitability, for example HSTS, CSP, X-Frame-Options, and Referrer-Policy.
- TLS hardening recommendations without demonstrated security impact.
- SPF, DKIM, or DMARC configuration recommendations without demonstrable exploitation.
- Clickjacking findings without a demonstrated exploit path.
- Missing rate limiting without demonstrated abuse impact.
- Publicly accessible marketing pages, documentation, or intended public content.
- Informational findings or configuration best-practice recommendations.
- Social engineering, phishing, physical security testing, or denial-of-service activity.
- Automated scanning or excessive testing that impacts availability.
- Reports involving already known issues, duplicate submissions, or issues without meaningful security impact.
Neuron7 reserves final discretion in determining eligibility and scope.
6. Contact
Neuron7, Inc.
San Jose, California, United States
Email: [email protected]