Neylak

Security

Responsible Disclosure Policy

We take the security of our platform and our users' data seriously. If you've discovered a vulnerability, we want to hear from you.

How to Report a Vulnerability

Email your findings to security@neylak.com with the subject line [Security Report]. Include:

  • Description of the vulnerability and its potential impact
  • Steps to reproduce (clear, concise, reproducible)
  • Proof of concept (screenshots, HTTP traces, or code)
  • Your name/handle for attribution (optional)
  • Whether you've disclosed this to anyone else

We respond to all reports within 48 hours and aim to resolve critical vulnerabilities within 7 days.

In Scope

  • Authentication and authorization flows
  • API endpoints (booking, payment, user data)
  • SQL injection and data exposure vulnerabilities
  • Cross-site scripting (XSS) and CSRF vulnerabilities
  • Payment and financial data handling
  • Artist and customer PII exposure
  • Account takeover and session management
  • Third-party integrations (Stripe, Supabase)

Out of Scope

  • Denial of service attacks
  • Social engineering or phishing attacks on Neylak staff
  • Physical security of our offices
  • Automated scanning without prior permission
  • Rate limiting and brute force (report, don't exploit)
  • Third-party services outside our control

Bug Bounty Rewards

Critical

Authentication bypass, mass data exposure, payment manipulation

$500 – $2,000
High

PII leakage, IDOR on sensitive resources, stored XSS

$200 – $500
Medium

Reflected XSS, CSRF on account actions, info disclosure

$50 – $200
Low

Minor information disclosure, best practice violations

Hall of fame

Rewards are at Neylak's discretion. We only pay for first reports of previously unknown issues. All reporters are credited in our security Hall of Fame unless they prefer anonymity.

Safe Harbor

Neylak will not take legal action against researchers who discover and responsibly disclose security issues in accordance with this policy. We consider responsible disclosure to be a critical part of our security program and we deeply appreciate the effort researchers put into finding and reporting vulnerabilities.

Questions about our security program?

Email security@neylak.com