Coordinated Vulnerability Disclosure

Email security@neudocs.app with a description of the issue, steps to reproduce, and any proof-of-concept. Please give us reasonable time to investigate and remediate before any public disclosure.

We will not pursue or support legal action against researchers who, in good faith, discover and report vulnerabilities in accordance with this policy. Good faith means: you avoid privacy violations, data destruction, and service degradation; you only interact with accounts you own or have explicit permission to test; and you do not access, modify, or exfiltrate another organisation's data.

In scope: the NeuDocs application and its API. Out of scope: denial-of-service testing, social engineering of our staff or customers, physical attacks, and findings that require a compromised device or a man-in-the-middle position. Third-party services we rely on (see Subprocessors) run their own disclosure programs.

We aim to acknowledge a valid report within 3 business days and to keep you informed as we work toward a fix. Remediation is prioritised by severity — typically within 7 days for critical issues and 30–90 days for lower-severity ones. We don't currently run a paid bug-bounty program, but we're grateful for responsible disclosure and will credit reporters who'd like to be acknowledged.