Safety Company News
Get Workers

Security bug bounty program

We build systems for security-critical environments. Independent researchers who find problems in those systems make them better — and we want to make it easy to report what you find.

Neuraphic welcomes reports from security researchers. This page defines the scope of our bug bounty program, the rules we ask researchers to follow, and what they can expect from us in return. The goal is simple: make it unambiguous what is fair game, unambiguous how to report, and unambiguous what happens next.

If anything on this page is unclear, ask us first. Email security@neuraphic.com before testing and we will give you a direct answer.

Program scope

In scope. All production services hosted under *.neuraphic.com, including the marketing site, the customer console, accounts, the workers application, and the public API surface. Vulnerabilities in software we ship — CLIs, SDKs, and client libraries published under the Neuraphic name — are in scope. Issues in our public GitHub repositories are in scope when they affect production.

Out of scope. Third-party services we depend on (report those to the vendor directly), non-production environments, subdomains explicitly marked as testing or staging, issues that require physical access to a user's device, social engineering of employees or customers, and vulnerabilities whose only impact is denial of service. Findings that depend on outdated browsers or on user behavior clearly outside a reasonable threat model are also out of scope.

What we consider a valid report

A valid report describes a specific, reproducible security issue that affects the confidentiality, integrity, or availability of customer data or the service itself. "This looks weird" is not a valid report; "here is a request that returns data belonging to another account, with steps to reproduce" is. The quality of the report is the single biggest factor in how quickly it is resolved.

Examples of issues we are particularly interested in: authentication and authorization flaws, injection vulnerabilities, broken access control, sensitive data exposure, server-side request forgery, and anything that can be used to bypass the safety controls on our AI systems.

Rewards

Monetary rewards for security research are under consideration for 2026. While we finalize the framework, reports that meet our validity bar will receive recognition, swag, and a permanent credit in our hall of fame. Researchers who report critical issues will be publicly acknowledged unless they request otherwise, and high-impact findings will receive a personal thank-you from our security team.

When the monetary tier launches, eligibility will be retroactive for the previous ninety days at our discretion for reports that would qualify under the new framework.

Rules of engagement

Stay in scope. Only test assets that this page lists as in-scope. If you are unsure whether an asset is in scope, ask before testing.

Do not degrade service. No denial-of-service testing, no automated scanners running at load, no testing that interferes with other users. If your research produces load that could affect availability, stop and contact us.

Do not pivot. If you find a way in, demonstrate impact minimally and stop. Do not access, modify, or exfiltrate data beyond what is necessary to prove the issue exists. Do not persist access.

No social engineering. Our employees, contractors, customers, and vendors are off-limits. This includes phishing, vishing, and physical intrusion.

Give us time to fix it. Please allow ninety days from initial report before public disclosure. We will work with you if more time is needed or if you want to publish sooner for a specific reason — these conversations are routine and we will not stall you.

How to submit

Send findings to security@neuraphic.com. A good submission includes:

A clear description of the vulnerability and the impact it has. Exact steps to reproduce, including any accounts, requests, or payloads required. The affected URL, endpoint, or component. Any logs, screenshots, or proof-of-concept code that help us understand the issue. The handle you would like credited, if applicable.

You do not need to encrypt the initial report, but if your finding is sensitive and you would prefer to, ask for our PGP key in your first email and we will provide it.

What we commit to

Acknowledgement within three business days. You will hear from a human on the security team confirming receipt.

Triage within ten business days. We will tell you whether we have reproduced the issue, how we are scoring its severity, and our initial plan for remediation.

Progress updates. Until the issue is resolved, we will keep you informed at reasonable intervals. If something is taking longer than expected, we will tell you why.

No legal action for good-faith research. We will not pursue or support legal action against researchers who report issues in line with the rules on this page. Acting in good faith, staying in scope, and not causing harm to users are the conditions for this safe harbor.

Hall of fame

We will credit researchers who report valid findings here as submissions arrive. Recognition is coming — once the first qualifying reports come in, this section becomes a permanent ledger of contributors. If you prefer to remain anonymous, tell us in the report and we will honor that.

Further reading

Responsible disclosure
Safety
Trust Center
Security & compliance

Security improves when researchers and companies work together — in good faith, in public, on the same side.

Responsible disclosure Safety Trust Center Security & compliance