NEUS NetworkDevelopersGitHub

Security Disclosure

Security Contact

For security vulnerabilities and responsible disclosure:

  • Email: [email protected]

  • Response Time: 24 hours for acknowledgment

  • Emergency Issues: Include "CRITICAL" in subject line

Responsible Disclosure Policy

NEUS Network encourages responsible disclosure of security vulnerabilities. We are committed to working with security researchers to protect our users and the broader ecosystem.

Reporting Guidelines

What to Include

  1. Detailed Description: Clear explanation of the vulnerability

  2. Reproduction Steps: Step-by-step instructions (if applicable)

  3. Impact Assessment: Potential security implications

  4. Proof of Concept: Non-destructive demonstration (if safe)

  5. Suggested Fix: Remediation recommendations (if known)

What NOT to Do

  • Do not create public GitHub issues for security vulnerabilities

  • Do not exploit vulnerabilities beyond proof of concept

  • Do not access or modify data belonging to others

  • Do not disclose vulnerabilities publicly before coordinated disclosure

Response Timeline

Phase
Timeline
Description

Acknowledgment

Within 24 hours

Confirm receipt of report

Initial Assessment

Within 72 hours

Preliminary impact analysis

Investigation

5-14 days

Detailed technical analysis

Resolution

Varies by severity

Fix development and testing

Disclosure

After fix deployment

Coordinated public disclosure

Severity Classification

Critical (7-day resolution target)

  • Remote code execution

  • Authentication bypass

  • Unauthorized fund access

  • Complete service compromise

High (14-day resolution target)

  • Privilege escalation

  • Data breach potential

  • Denial of service attacks

  • Smart contract vulnerabilities

Medium (30-day resolution target)

  • Information disclosure

  • Rate limit bypass

  • Non-critical logic flaws

Low (Best effort)

  • Configuration issues

  • Minor information leaks

  • Usability security concerns

Scope

In Scope

  • API Endpoints: All public and authenticated endpoints

  • SDK Components: @neus/sdk and @neus/widgets packages

  • Smart Contracts: Deployed protocol contracts

  • Infrastructure: Authentication, rate limiting, data validation

  • Documentation: Security-relevant documentation

Out of Scope

  • Third-Party Services: External APIs and dependencies

  • User Applications: Apps built using NEUS SDK

  • Social Engineering: Attacks targeting individual users

  • Physical Security: Infrastructure access controls

  • Denial of Service: Network-level DDoS attacks

Recognition and Rewards

Current Recognition

  • Public Acknowledgment: Credit in security advisories and documentation

  • Contributor Status: Recognition as a security contributor

  • Priority Support: Enhanced support for future security research

Future Bug Bounty Program

We are developing a comprehensive bug bounty program:

  • Monetary rewards for qualifying vulnerabilities

  • Tiered reward structure based on severity and impact

  • Clear scope and rules for participation

  • Details will be announced on our security channels

Safe Harbor

NEUS Network will not pursue legal action against security researchers who:

  • Report vulnerabilities through proper channels

  • Do not exploit vulnerabilities beyond proof of concept

  • Do not access or modify data belonging to others

  • Comply with this responsible disclosure policy

Security Updates

Communication Channels

  • GitHub Security Advisories: https://github.com/neus/network/security/advisories

  • Security Notifications: [email protected] mailing list

  • Release Notes: Detailed security change documentation

Update Process

  1. Immediate Patches: Critical vulnerabilities patched immediately

  2. Coordinated Disclosure: Public disclosure after fix deployment

  3. Post-Incident Analysis: Detailed analysis and prevention measures

  4. Community Updates: Transparent communication about security improvements

Legal Protections

DMCA and Intellectual Property

  • Security research is protected under fair use provisions

  • Responsible disclosure is not considered copyright infringement

  • Reverse engineering for security purposes is permitted under applicable law

International Considerations

  • This policy applies globally to all NEUS Network services

  • Local laws may provide additional protections for security researchers

  • Researchers should comply with laws in their jurisdiction

Contact Information

Security Team

Mailing Address

NEUS Network, Inc. 1111B S Governors Ave STE 39950 Dover, DE 19904, USA

We appreciate the security research community's efforts to make NEUS Network safer for everyone.

PreviousPrivacy PolicyNextExport Controls

Last updated

Was this helpful?