Coordinated Vulnerability Disclosure
Neurogs operates a coordinated disclosure program for the neurogs.tech surface and the NOGTUS operator console. This document defines scope, safe harbor, reporting channel, and triage SLA.
Scope
neurogs.tech, *.neurogs.tech, and the NOGTUS operator console deployed on customer-tenant cloud. Customer-side air-gapped deployments are out of scope for public disclosure and must be reported through the customer's incident channel.
Safe Harbor
Good-faith research conducted under this policy will not result in legal action. We commit to working with researchers, acknowledging valid reports, and remediating in a defined timeline.
Reporting Channel
Send the report to security@neurogs.tech, encrypted with our PGP key (fingerprint published at neurogs.tech/.well-known/security.txt). Include reproduction steps, affected component, and impact analysis.
Triage SLA
Acknowledgement within two (2) business days. Triage classification within five (5) business days. Remediation timeline communicated within fifteen (15) business days, calibrated to severity (CVSS v3.1).
Out of Scope
Volumetric DoS, social engineering of staff, physical attacks, third-party services not operated by Neurogs, vulnerabilities requiring root-level access already granted, and theoretical issues without a working proof-of-concept.
Coordinated Disclosure
We request a 90-day non-disclosure window from the date of acknowledgement. Public disclosure will be coordinated jointly. Researcher attribution is offered by default.
security@neurogs.tech · PGP fingerprint published at neurogs.tech/.well-known/security.txt