~/responsible_disclosure

You popped us?

Cool. Tell us how so we can fix it.

Look, we get it. The security industry has this weird relationship with hackers - we need you to exist to justify our business, but we pretend we want to stop you. Let’s skip the corporate BS and be real about this.

soc@neosecurity.nl

PGP key available at /neo.pub if you’re into that OpSec life

The Security Paradox

📖

From Phrack Issue 64, Article 4:

"There is something strange, really strange. I always compare the security world with the drug world... Do you really think that security companies want to eradicate hackers?"

→ Read the full article on phrack.org

The author was right. The security industry needs hackers to exist. Without threats, there's no business. Without vulnerabilities, there's no reason for security companies. It's the same paradox as the war on drugs - everyone pretends they want to win, but nobody actually wants the war to end.

So let's be honest about this relationship. You find flaws, we fix them. You keep doing what you do, we keep doing what we do. The ecosystem needs both sides.

Our philosophy

We're not trying to "eradicate" hackers. We're trying to build better defenses. If you can break our stuff, that's valuable intelligence. We'd rather learn from you than pretend you don't exist.

"We don't need them to exist, we exist because we like learning, learning what we are not supposed to learn." - Phrack 64

How this actually works

T+0

You drop us a line

soc@neosecurity.nl - we'll confirm receipt within 24h (probably faster)

T+1-3

We validate your findings

Is it real? Can we reproduce? What's the blast radius?

T+3-90

We fix the damn thing

Patch, test, deploy. No corporate bureaucracy nonsense.

T+90+

Coordinated disclosure

Public advisory with props to you (if you want them)

Rules of Engagement

Things we're cool with

→Use soc@neosecurity.nl with PGP if you're paranoid (we get it)
→Give us clear reproduction steps - we're not mind readers
→Give us reasonable time to fix (90 days is industry standard)
→Keep it quiet until we coordinate disclosure
→Test on your own stuff or with explicit permission

Things that'll piss us off

×Access other people's data - that's not research, that's being a dick
×Social engineer our people - they're just trying to do their jobs
×Physical attacks without explicit permission - we have cameras
×DDoS us - bandwidth costs money and proves nothing
×0-day dump on Twitter before we can fix - that's just reckless

What we actually care about

High Impact Stuff

Remote Code Execution (the holy grail)
SQL Injection (still a classic)
XSS that actually matters
Auth bypass (ouch)
Sensitive data exposure
SSRF with actual impact
XXE that does damage
IDOR that matters

Low Signal Noise

Clickjacking on non-sensitive pages (meh)
Missing headers without demonstrated impact (we know, we know)
Error messages that don't leak data
Brute force (rate limiting exists for a reason)
Self-XSS (seriously?)
Spam/phishing attempts (not cool)

Scope: All *.neosecurity.nl subdomains are fair game. Third-party services and customer environments are obviously off-limits. Use common sense.

Hall of Fame

Props to the researchers who've helped us build better defenses. If you want credit, we'll add you here. If you prefer to stay in the shadows, that's cool too.

Security Researchers

Props to the people who found real issues and reported them properly.

Ashik Mohamed

DMARC issues on our scope reported; thanks for the heads up!

Dec 2025

bugcrowd.com/h/ashikmd7 →

Legal safe harbor

If you follow these guidelines, we won't come after you legally. Simple as that.

Act in good faith according to this policy
Don't cause damage to our systems or data
Keep things confidential until coordinated disclosure
Stop testing once you've found something

We won't file charges under computer crime laws if you stick to these rules. We're not interested in making enemies - we want to make our stuff more secure.

Ready to drop some knowledge?

Found something? Want to report it? Want to just chat about security? We're here for it. No corporate gatekeepers, no endless forms.

Security findings:

soc@neosecurity.nl