[{"id":3774173,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\n**NOTE** Neon has been acquired by Databricks and we maintain two distinct bug bounty programs. It is important to note that Neon and Lakebase share a common codebase; consequently, we can only accept a specific vulnerability report once across both platforms. We strongly advise that prior to submitting a vulnerability report concerning Neon, you verify its applicability to Lakebase and submit the report through the [Databricks bounty program](https://hackerone.com/databricks), as the associated bounties are typically more substantial.\n\nWe welcome reports of:\n- Leaked credentials of Neon employees that could grant unauthorized access or expose sensitive information. We do not award reports for leaked credentials of our customers because Neon is a GitHub Secret Scanning partner, which means GitHub automatically scans for and reports leaked credentials associated with our platform. We have an internal process to notify affected customers directly.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Out of Scope\nTo keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\n\n- Feedback Form\n- Support Form\n- Request Private Networking Form\n\n### Known Vulnerabilities\nWe're aware of the following vulnerabilities and do not award these reports unless you can combine multiple vulnerabilities to have a bigger impact:\n- CSRF\n- HTML injection\n- Invalid Session termination\n\n### Staging vs Prod Environments\nWhile production systems are in scope, we ask that researchers use our staging environment for all security testing. Staging is a replica of production and supports the same features, including paid account functionality via test credit cards.\n\u003e **Staging Access :** Sign up at https://console-stage.neon.build/ using preview code / invite code **I-LOVE-PREVIEWS**\n( https://console-stage.neon.build/?invite=I-LOVE-PREVIEWS ), and please use your **@wearehackerone.com** email so we can identify testing activity. For staging, you can upgrade plans using Stripe test cards. (https://docs.stripe.com/testing) .\n\nIf your testing requires something specific to production, please alert us at bugbounty@databricks.com before proceeding so we can coordinate and minimize any impact to live users and data. If you have questions about this or anything else, feel free to reach out at the same address!\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nImportant: Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Forms\",\"details\":\"To keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\\nFeedback Form, Support Form, Request Private Networking Form\"}","{\"category\":\"Test Credentials and Placeholder Data\",\"details\":\"Test credentials, dummy data, and placeholder values (e.g., username:password, dummy certs) clearly marked for testing are out of scope. Reports must demonstrate impact on a production system to be considered valid.\"}","{\"category\":\"Subdomain Takeover\",\"details\":\"Subdomain takeovers that lack demonstrable impact are out of scope\"}","{\"category\":\"Automated Reports\",\"details\":\"Sending vulnerability reports using automated tools without validation.\"}","{\"category\":\"Open Source Vulnerabilties\",\"details\":\"Vulnerabilities in open source projects are not eligible for bounty\"}"],"timestamp":"2026-05-14T11:23:31.726Z"},{"id":3773815,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\n**NOTE** Neon has been acquired by Databricks and we maintain two distinct bug bounty programs. It is important to note that Neon and Lakebase share a common codebase; consequently, we can only accept a specific vulnerability report once across both platforms. We strongly advise that prior to submitting a vulnerability report concerning Neon, you verify its applicability to Lakebase and submit the report through the [Databricks bounty program](https://hackerone.com/databricks), as the associated bounties are typically more substantial.\n\nWe welcome reports of:\n- Leaked credentials of Neon employees that could grant unauthorized access or expose sensitive information. We do not award reports for leaked credentials of our customers because Neon is a GitHub Secret Scanning partner, which means GitHub automatically scans for and reports leaked credentials associated with our platform. We have an internal process to notify affected customers directly.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Out of Scope\nTo keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\n\n- Feedback Form\n- Support Form\n- Request Private Networking Form\n\n### Known Vulnerabilities\nWe're aware of the following vulnerabilities and do not award these reports unless you can combine multiple vulnerabilities to have a bigger impact:\n- CSRF\n- HTML injection\n- Invalid Session termination\n\n### Staging vs Prod Environments\nWhile production systems are in scope, we ask that researchers use our staging environment for all security testing. Staging is a replica of production and supports the same features, including paid account functionality via test credit cards.\n\nIf your testing requires something specific to production, please alert us at bugbounty@databricks.com before proceeding so we can coordinate and minimize any impact to live users and data. If you have questions about this or anything else, feel free to reach out at the same address!\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nImportant: Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Forms\",\"details\":\"To keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\\nFeedback Form, Support Form, Request Private Networking Form\"}","{\"category\":\"Test Credentials and Placeholder Data\",\"details\":\"Test credentials, dummy data, and placeholder values (e.g., username:password, dummy certs) clearly marked for testing are out of scope. Reports must demonstrate impact on a production system to be considered valid.\"}","{\"category\":\"Subdomain Takeover\",\"details\":\"Subdomain takeovers that lack demonstrable impact are out of scope\"}","{\"category\":\"Automated Reports\",\"details\":\"Sending vulnerability reports using automated tools without validation.\"}","{\"category\":\"Open Source Vulnerabilties\",\"details\":\"Vulnerabilities in open source projects are not eligible for bounty\"}"],"timestamp":"2026-05-07T13:47:11.108Z"},{"id":3771740,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\n**NOTE** Neon has been acquired by Databricks and we maintain two distinct bug bounty programs. It is important to note that Neon and Lakebase share a common codebase; consequently, we can only accept a specific vulnerability report once across both platforms. We strongly advise that prior to submitting a vulnerability report concerning Neon, you verify its applicability to Lakebase and submit the report through the [Databricks bounty program](https://hackerone.com/databricks), as the associated bounties are typically more substantial.\n\nWe welcome reports of:\n- Leaked credentials of Neon employees that could grant unauthorized access or expose sensitive information. We do not award reports for leaked credentials of our customers because Neon is a GitHub Secret Scanning partner, which means GitHub automatically scans for and reports leaked credentials associated with our platform. We have an internal process to notify affected customers directly.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Out of Scope\nTo keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\n\n- Feedback Form\n- Support Form\n- Request Private Networking Form\n\n### Known Vulnerabilities\nWe're aware of the following vulnerabilities and do not award these reports unless you can combine multiple vulnerabilities to have a bigger impact:\n- CSRF\n- HTML injection\n- Invalid Session termination\n\n### Staging vs Prod Environments\nWhile production systems are in scope, we ask that researchers use our staging environment for all security testing. Staging is a replica of production and supports the same features, including paid account functionality via test credit cards.\n\nIf your testing requires something specific to production, please alert us at bugbounty@databricks.com before proceeding so we can coordinate and minimize any impact to live users and data. If you have questions about this or anything else, feel free to reach out at the same address!\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nImportant: Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Forms\",\"details\":\"To keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\\nFeedback Form, Support Form, Request Private Networking Form\"}","{\"category\":\"Test Credentials and Placeholder Data\",\"details\":\"Test credentials, dummy data, and placeholder values (e.g., username:password, dummy certs) clearly marked for testing are out of scope. Reports must demonstrate impact on a production system to be considered valid.\"}","{\"category\":\"Subdomain Takeover\",\"details\":\"Subdomain takeovers that lack demonstrable impact are out of scope\"}","{\"category\":\"Automated Reports\",\"details\":\"Sending vulnerability reports using automated tools without validation.\"}"],"timestamp":"2026-03-26T18:12:05.664Z"},{"id":3768380,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\n**NOTE** Neon has been acquired by Databricks and we maintain two distinct bug bounty programs. It is important to note that Neon and Lakebase share a common codebase; consequently, we can only accept a specific vulnerability report once across both platforms. We strongly advise that prior to submitting a vulnerability report concerning Neon, you verify its applicability to Lakebase and submit the report through the [Databricks bounty program](https://hackerone.com/databricks), as the associated bounties are typically more substantial.\n\nWe welcome reports of:\n- Leaked credentials of Neon employees that could grant unauthorized access or expose sensitive information. We do not award reports for leaked credentials of our customers because Neon is a GitHub Secret Scanning partner, which means GitHub automatically scans for and reports leaked credentials associated with our platform. We have an internal process to notify affected customers directly.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Out of Scope\nTo keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\n\n- Feedback Form\n- Support Form\n- Request Private Networking Form\n\n### Known Vulnerabilities\nWe're aware of the following vulnerabilities and do not award these reports unless you can combine multiple vulnerabilities to have a bigger impact:\n- CSRF\n- HTML injection\n- Invalid Session termination\n\n### Staging vs Prod Environments\nTo support impactful testing without affecting real users or production data, we encourage researchers to use our staging environment for security testing, which is the replica of production, especially when testing paid features.\nYou may upgrade accounts using test credit cards on staging. The invite code and test card details are listed in the program scope for your convenience.\nThe triage team also uses staging to verify vulnerabilities that involve paid account actions or subscription logic.\nThis setup ensures that tests are safe, reproducible, and isolated from live user data. If you have questions about staging environment usage, feel free to message us through HackerOne.\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nImportant: Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Forms\",\"details\":\"To keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\\nFeedback Form, Support Form, Request Private Networking Form\"}","{\"category\":\"Test Credentials and Placeholder Data\",\"details\":\"Test credentials, dummy data, and placeholder values (e.g., username:password, dummy certs) clearly marked for testing are out of scope. Reports must demonstrate impact on a production system to be considered valid.\"}","{\"category\":\"Subdomain Takeover\",\"details\":\"Subdomain takeovers that lack demonstrable impact are out of scope\"}","{\"category\":\"Automated Reports\",\"details\":\"Sending vulnerability reports using automated tools without validation.\"}"],"timestamp":"2026-01-15T18:12:41.538Z"},{"id":3767213,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\n**NOTE** Neon has been acquired by Databricks and we maintain two distinct bug bounty programs. It is important to note that Neon and Lakebase share a common codebase; consequently, we can only accept a specific vulnerability report once across both platforms. We strongly advise that prior to submitting a vulnerability report concerning Neon, you verify its applicability to Lakebase and submit the report through the [Databricks bounty program](https://hackerone.com/databricks), as the associated bounties are typically more substantial.\n\nWe welcome reports of:\n- Leaked credentials of Neon employees that could grant unauthorized access or expose sensitive information. We do not award reports for leaked credentials of our customers because Neon is a GitHub Secret Scanning partner, which means GitHub automatically scans for and reports leaked credentials associated with our platform. We have an internal process to notify affected customers directly.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Out of Scope\nTo keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\n\n- Feedback Form\n- Support Form\n- Request Private Networking Form\n\n### Known Vulnerabilities\nWe're aware of the following vulnerabilities and do not award these reports unless you can combine multiple vulnerabilities to have a bigger impact:\n- CSRF\n- HTML injection\n- Invalid Session termination\n\n### Staging vs Prod Environments\nTo support impactful testing without affecting real users or production data, we encourage researchers to use our staging environment for security testing, which is the replica of production, especially when testing paid features.\nYou may upgrade accounts using test credit cards on staging. The invite code and test card details are listed in the program scope for your convenience.\nThe triage team also uses staging to verify vulnerabilities that involve paid account actions or subscription logic.\nThis setup ensures that tests are safe, reproducible, and isolated from live user data. If you have questions about staging environment usage, feel free to message us through HackerOne.\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nImportant: Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Forms\",\"details\":\"To keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\\nFeedback Form, Support Form, Request Private Networking Form\"}","{\"category\":\"Test Credentials and Placeholder Data\",\"details\":\"Test credentials, dummy data, and placeholder values (e.g., username:password, dummy certs) clearly marked for testing are out of scope. Reports must demonstrate impact on a production system to be considered valid.\"}"],"timestamp":"2025-12-09T17:35:23.910Z"},{"id":3767212,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\n**NOTE** Neon has been acquired by Databricks and we maintain two distinct bug bounty programs. It is important to note that Neon and Lakebase share a common codebase; consequently, we can only accept a specific vulnerability report once across both platforms. We strongly advise that prior to submitting a vulnerability report concerning Neon, you verify its applicability to Lakebase and submit the report through the Lakebase program, as the associated bounties are typically more substantial.\n\nWe welcome reports of:\n- Leaked credentials of Neon employees that could grant unauthorized access or expose sensitive information. We do not award reports for leaked credentials of our customers because Neon is a GitHub Secret Scanning partner, which means GitHub automatically scans for and reports leaked credentials associated with our platform. We have an internal process to notify affected customers directly.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Out of Scope\nTo keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\n\n- Feedback Form\n- Support Form\n- Request Private Networking Form\n\n### Known Vulnerabilities\nWe're aware of the following vulnerabilities and do not award these reports unless you can combine multiple vulnerabilities to have a bigger impact:\n- CSRF\n- HTML injection\n- Invalid Session termination\n\n### Staging vs Prod Environments\nTo support impactful testing without affecting real users or production data, we encourage researchers to use our staging environment for security testing, which is the replica of production, especially when testing paid features.\nYou may upgrade accounts using test credit cards on staging. The invite code and test card details are listed in the program scope for your convenience.\nThe triage team also uses staging to verify vulnerabilities that involve paid account actions or subscription logic.\nThis setup ensures that tests are safe, reproducible, and isolated from live user data. If you have questions about staging environment usage, feel free to message us through HackerOne.\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nImportant: Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Forms\",\"details\":\"To keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\\nFeedback Form, Support Form, Request Private Networking Form\"}","{\"category\":\"Test Credentials and Placeholder Data\",\"details\":\"Test credentials, dummy data, and placeholder values (e.g., username:password, dummy certs) clearly marked for testing are out of scope. Reports must demonstrate impact on a production system to be considered valid.\"}"],"timestamp":"2025-12-09T17:10:41.614Z"},{"id":3766082,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\nWe welcome reports of:\n- Leaked credentials of Neon employees that could grant unauthorized access or expose sensitive information. We do not award reports for leaked credentials of our customers because Neon is a GitHub Secret Scanning partner, which means GitHub automatically scans for and reports leaked credentials associated with our platform. We have an internal process to notify affected customers directly.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Out of Scope\nTo keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\n\n- Feedback Form\n- Support Form\n- Request Private Networking Form\n\n### Known Vulnerabilities\nWe're aware of the following vulnerabilities and do not award these reports unless you can combine multiple vulnerabilities to have a bigger impact:\n- CSRF\n- HTML injection\n- Invalid Session termination\n\n### Staging vs Prod Environments\nTo support impactful testing without affecting real users or production data, we encourage researchers to use our staging environment for security testing, which is the replica of production, especially when testing paid features.\nYou may upgrade accounts using test credit cards on staging. The invite code and test card details are listed in the program scope for your convenience.\nThe triage team also uses staging to verify vulnerabilities that involve paid account actions or subscription logic.\nThis setup ensures that tests are safe, reproducible, and isolated from live user data. If you have questions about staging environment usage, feel free to message us through HackerOne.\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nImportant: Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":true,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Forms\",\"details\":\"To keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\\nFeedback Form, Support Form, Request Private Networking Form\"}","{\"category\":\"Test Credentials and Placeholder Data\",\"details\":\"Test credentials, dummy data, and placeholder values (e.g., username:password, dummy certs) clearly marked for testing are out of scope. Reports must demonstrate impact on a production system to be considered valid.\"}"],"timestamp":"2025-11-13T17:36:24.764Z"},{"id":3756857,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\nWe welcome reports of:\n- Leaked credentials of Neon employees that could grant unauthorized access or expose sensitive information. We do not award reports for leaked credentials of our customers because Neon is a GitHub Secret Scanning partner, which means GitHub automatically scans for and reports leaked credentials associated with our platform. We have an internal process to notify affected customers directly.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Out of Scope\nTo keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\n\n- Feedback Form\n- Support Form\n- Request Private Networking Form\n\n### Known Vulnerabilities\nWe're aware of the following vulnerabilities and do not award these reports unless you can combine multiple vulnerabilities to have a bigger impact:\n- CSRF\n- HTML injection\n- Invalid Session termination\n\n### Staging vs Prod Environments\nTo support impactful testing without affecting real users or production data, we encourage researchers to use our staging environment for security testing, which is the replica of production, especially when testing paid features.\nYou may upgrade accounts using test credit cards on staging. The invite code and test card details are listed in the program scope for your convenience.\nThe triage team also uses staging to verify vulnerabilities that involve paid account actions or subscription logic.\nThis setup ensures that tests are safe, reproducible, and isolated from live user data. If you have questions about staging environment usage, feel free to message us through HackerOne.\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nImportant: Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Forms\",\"details\":\"To keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\\nFeedback Form, Support Form, Request Private Networking Form\"}","{\"category\":\"Test Credentials and Placeholder Data\",\"details\":\"Test credentials, dummy data, and placeholder values (e.g., username:password, dummy certs) clearly marked for testing are out of scope. Reports must demonstrate impact on a production system to be considered valid.\"}"],"timestamp":"2025-06-04T12:33:02.881Z"},{"id":3754784,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\nWe welcome reports of:\n- Leaked credentials of Neon employees that could grant unauthorized access or expose sensitive information. We do not award reports for leaked credentials of our customers because Neon is a GitHub Secret Scanning partner, which means GitHub automatically scans for and reports leaked credentials associated with our platform. We have an internal process to notify affected customers directly.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Out of Scope\nTo keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\n\n- Feedback Form\n- Support Form\n- Request Private Networking Form\n\n### Known Vulnerabilities\nWe're aware of the following vulnerabilities and do not award these reports unless you can combine multiple vulnerabilities to have a bigger impact:\n- CSRF\n- HTML injection\n- Invalid Session termination\n\n### Staging vs Prod Environments\nTo support impactful testing without affecting real users or production data, we encourage researchers to use our staging environment for security testing, which is the replica of production, especially when testing paid features.\nYou may upgrade accounts using test credit cards on staging. The invite code and test card details are listed in the program scope for your convenience.\nThe triage team also uses staging to verify vulnerabilities that involve paid account actions or subscription logic.\nThis setup ensures that tests are safe, reproducible, and isolated from live user data. If you have questions about staging environment usage, feel free to message us through HackerOne.\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nImportant: Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Forms\",\"details\":\"To keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\\nFeedback Form, Support Form, Request Private Networking Form\"}"],"timestamp":"2025-05-05T07:48:45.996Z"},{"id":3751772,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\nWe welcome reports of:\n- Leaked credentials of Neon employees that could grant unauthorized access or expose sensitive information. We do not award reports for leaked credentials of our customers because Neon is a GitHub Secret Scanning partner, which means GitHub automatically scans for and reports leaked credentials associated with our platform. We have an internal process to notify affected customers directly.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Out of Scope\nTo keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\n\n- Feedback Form\n- Support Form\n- Request Private Networking Form\n\n### Known Vulnerabilities\nWe're aware of the following vulnerabilities and do not award these reports unless you can combine multiple vulnerabilities to have a bigger impact:\n- CSRF\n- HTML injection\n- Invalid Session termination\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nImportant: Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Forms\",\"details\":\"To keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\\nFeedback Form, Support Form, Request Private Networking Form\"}"],"timestamp":"2025-03-14T15:41:23.564Z"},{"id":3751545,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\nWe welcome reports of:\n- Leaked credentials of Neon employees that could grant unauthorized access or expose sensitive information. We do not award reports for leaked credentials of our customers because Neon is a GitHub Secret Scanning partner, which means GitHub automatically scans for and reports leaked credentials associated with our platform. We have an internal process to notify affected customers directly.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Out of Scope\nTo keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\n\n- Feedback Form\n- Support Form\n- Request Private Networking Form\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nImportant: Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Forms\",\"details\":\"To keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\\nFeedback Form, Support Form, Request Private Networking Form\"}"],"timestamp":"2025-03-11T17:35:41.285Z"},{"id":3751544,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\nWe welcome reports of:\n- Leaked credentials of Neon employees that could grant unauthorized access or expose sensitive information. We do not award reports for leaked credentials of our customers because Neon is a GitHub Secret Scanning partner, which means GitHub automatically scans for and reports leaked credentials associated with our platform. We have an internal process to notify affected customers directly.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Out of Scope\n\nTo keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\n\n- Feedback Form\n- Support Form\n- Request Private Networking Form\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nImportant: Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":["{\"category\":\"Forms\",\"details\":\"To keep things efficient and reduce unnecessary noise for the Neon team, please exclude the following forms from your tests:\\nFeedback Form, Support Form, Request Private Networking Form\"}"],"timestamp":"2025-03-11T17:34:27.403Z"},{"id":3751393,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\nWe welcome reports of:\n- Leaked credentials of Neon employees that could grant unauthorized access or expose sensitive information. We do not award reports for leaked credentials of our customers because Neon is a GitHub Secret Scanning partner, which means GitHub automatically scans for and reports leaked credentials associated with our platform. We have an internal process to notify affected customers directly.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nImportant: Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-03-10T10:20:20.162Z"},{"id":3751190,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\nWe welcome reports of:\n- Leaked credentials that could grant unauthorized access or expose sensitive information.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes, but is not limited to, residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nImportant: Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts. If you run security scans against Neon's systems without using your @wearehackerone.com email address, your email may be blocked. Please ensure you use your HackerOne email when testing.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"Neon looks forward to working with the security community to find vulnerabilities in order to keep our businesses and customers safe.","platform_standards_exclusions":[],"exemplary_standards_exclusions":["LEAKED_CREDENTIALS"],"scope_exclusions":[],"timestamp":"2025-03-04T11:04:59.842Z"},{"id":3751054,"new_policy":"## Overview\nNeon is an open-source database company dedicated to delivering a serverless PostgreSQL platform optimized for cloud deployment. Our architecture separates storage and compute, enabling features like autoscaling, instant branching, and bottomless storage. Committed to continuous development, we regularly release new features and enhancements, providing ongoing opportunities for security testing. We invite researchers to collaborate with us in identifying and addressing potential vulnerabilities, ensuring our platform remains robust and secure.\n\nTime to resolution varies by complexity and severity.\n\nUpdate: Here's the API endpoints list for comprehensive testing: {F4002038}\n\n### Disclosure Policy\n- Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from us. Disclosure of reports within Hacker0ne can be discussed.\n- Follow HackerOne's disclosure guidelines.\n\n## Eligible Vulnerabilities\nTo qualify for rewards, the following criteria must be met:\n- You must be the first to report the vulnerability.\n- Reports must include full reproduction details and be reproducible on in-scope assets.\n- Vulnerabilities should affect recent versions of supported browsers or applications (e.g., Microsoft Edge, Chrome 111, Firefox 111, Safari 15).\n- Qualification of vulnerabilities is at Neon's sole discretion.\n\nWe welcome reports of:\n- Leaked credentials that could grant unauthorized access or expose sensitive information.\n- Any issue allowing unauthorized access, modification, or data exposure.\n\n### Non-Qualifying Vulnerabilities and Exclusions\nIn addition to the \"Hackerone's Core Ineligible Findings\" list, the followings are considered out of scope unless a proof-of-concept (PoC) demonstrates exploitability:\n- Unfixed issues in third-party components (vendor-dependent).\n- Missing \"best practices\" that do not introduce a security vulnerability.\n- Rate limiting (please avoid excessive testing, as it may trigger alerts).\n- Vulnerable libraries without a PoC.\n- User enumeration via account creation, authentication, or password recovery.\n\nNote: We cannot reward or work with individuals on U.S. sanction lists or residing in sanctioned countries. This includes residents of Iran, North Korea, Syria, Crimea region of Ukraine. Severity level is at the sole discretion of the Neon security team.\n\n## Rules of Engagement\nPlease adhere to the following rules to ensure compliance with the program:\n- Use a unique header with your HackerOne username (X-Bug-Bounty:HackerOne-username) in requests to help us identify your testing.\n- Use your HackerOne email alias (e.g., username@wearehackerone.com) when creating accounts, so we can recognize legitimate testing accounts.\n- Do not attempt to view, alter, or damage data belonging to other users. If necessary, create a test account to verify vulnerabilities.\n- Avoid excessive automated scanning; keep requests to 10 per second or lower to prevent potential service impact.\n- Do not discuss or share details of any vulnerability, even resolved ones, outside the HackerOne platform until officially approved for disclosure.\n- Refrain from attempting denial-of-service attacks or similar actions that could disrupt our services.\n- Use the HackerOne platform for all correspondence regarding your testing and findings.\n\nNeon reserves the right to change program terms at any time.\n\nFor vulnerabilities involving information disclosure, avoid capturing or retaining personally identifiable information (PII). If you inadvertently access or alter any PII, stop testing immediately and report the issue along with reproduction steps to help our team assess the impact.\n\nWhen possible, please employ methods that confirm elevated access without exposing PII. Examples include:\n- Screenshots of navigation bar options or pages without PII that weren’t originally viewable.\n- Improper access to another account you control.\n\n### Attributes of a Good Report and Bug Bounty Rewards\nProvide detailed, clear reporting with screenshots, proof-of-concept code, and steps to reproduce. Rewards reflect the impact, severity, and creativity of the vulnerability discovered. Bug bounty rewards are solely at Neon’s discretion, based on the severity and creativity of the bug.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-02-28T09:33:37.457Z"}]