Neon Bug Bounty Program

Introduction

Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.

Program Highlights

Open Scope — Rewards reports for all owned assets based on impact, even if not listed in scope.

Fast Payment — Ensures payment within 1 month of receiving a vulnerability report.

Gold Standard Safe Harbor — Adheres to Gold Standard Safe Harbor.

Platform Standards — Fully compliant with Platform Standards.

Top Response Efficiency — This program's response efficiency is above 90%.

Managed by HackerOne — Collaboration Enabled. Includes Retesting.

Response Times

• 17 hours — Average time to first response
• 2 days, 11 hours — Average time to triage
• 1 week, 6 days — Average time to bounty
• 2 weeks, 1 day — Average time from submission to bounty
• 1 month, 2 weeks — Average time to resolution

Overview

Neon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.

Time to resolution varies by complexity and severity.

Rewards Summary

Our rewards are based on severity per CVSS (the Common Vulnerability Scoring Standard). Please note these are general guidelines, and reward decisions are up to the discretion of Neon.

Eligible Vulnerabilities

To qualify for rewards, the following criteria must be met:

• You must be the first to report the vulnerability.
• Reports must include full reproduction details and be reproducible on in-scope assets.
• Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).
• Qualification of vulnerabilities is at Neon's sole discretion.

We welcome reports of:

• Leaked credentials of Neon employees that could grant unauthorized access or expose sensitive information. We do not award reports for leaked credentials of our customers because Neon is a GitHub Secret Scanning partner, which means GitHub automatically scans for and reports leaked credentials associated with our platform. We have an internal process to notify affected customers directly.
• Any issue allowing unauthorized access, modification, or data exposure.

NOTE Neon has been acquired by Databricks and we maintain two distinct bug bounty programs. It is important to note that Neon and Lakebase share a common codebase; consequently, we can only accept a specific vulnerability report once across both platforms. We strongly advise that prior to submitting a vulnerability report concerning Neon, you verify its applicability to Lakebase and submit the report through the Databricks bounty program, as the associated bounties are typically more substantial.

Scope Exclusions

Core Ineligible Findings

Core Ineligible Findings are out of scope.

Forms

To keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:

• Feedback Form
• Support Form
• Request Private Networking Form

Test Credentials and Placeholder Data

Test credentials, dummy data, and placeholder values (e.g., username:password, dummy certs) clearly marked for testing are out of scope. Reports must demonstrate impact on a production system to be considered valid.

Subdomain Takeover

Subdomain takeovers that lack demonstrable impact are out of scope.

Automated Reports

Sending vulnerability reports using automated tools without validation.

Known Vulnerabilities

We're aware of the following vulnerabilities and do not award these reports unless you can combine multiple vulnerabilities to have a bigger impact:

• CSRF
• HTML injection
• Invalid Session termination

Non-Qualifying Vulnerabilities and Exclusions

In addition to the "HackerOne's Core Ineligible Findings" list, the following are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:

• Unfixed issues in third-party components (vendor-dependent).
• Missing "best practices" that do not introduce a security vulnerability.
• Rate limiting (please avoid excessive testing, as it may trigger alerts).
• Vulnerable libraries without a PoC.
• User enumeration via account creation, authentication, or password recovery.

Note: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.

Exemplary Standards

This program has committed to awarding submissions for discovered leaked credentials.

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within HackerOne can be discussed.
• Follow HackerOne's disclosure guidelines.

Staging vs Production Environments

To support impactful testing without affecting real users or production data, we encourage researchers to use our staging environment for security testing, which is a replica of production, especially when testing paid features.

You may upgrade accounts using test credit cards on staging. The invite code and test card details are listed in the program scope for your convenience.

The triage team also uses staging to verify vulnerabilities that involve paid account actions or subscription logic.

This setup ensures that tests are safe, reproducible, and isolated from live user data. If you have questions about staging environment usage, feel free to message us through HackerOne.

Rules of Engagement

Please adhere to the following rules to ensure compliance with the program:

• Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.
• Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.
• Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.
• Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.
• Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.
• Use the HackerOne platform for all correspondence regarding your testing and findings.

Important: Use your HackerOne email alias (e.g., [email protected]) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.

Neon reserves the right to change program terms at any time.

For vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.

When possible, please employ methods that confirm elevated access without exposing PII. Examples include:

• Screenshots of navigation bar options or pages without PII that weren't originally viewable.
• Improper access to another account you control.

Attributes of a Good Report and Bug Bounty Rewards

Provide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon's discretion, based on the severity and creativity of the bug.