You popped us?
Cool. Tell us how so we can fix it.
Look, we get it. The security industry has this weird relationship with hackers - we need you to exist to justify our business, but we pretend we want to stop you. Let's skip the corporate BS and be real about this.
info@neosecurity.nl
PGP key available if you're into that OpSec life
The Security Paradox
From Phrack Issue 64, Article 4:
"There is something strange, really strange. I always compare the security world with the drug world... Do you really think that security companies want to eradicate hackers?"
→ Read the full article on phrack.orgThe author was right. The security industry needs hackers to exist. Without threats, there's no business. Without vulnerabilities, there's no reason for security companies. It's the same paradox as the war on drugs - everyone pretends they want to win, but nobody actually wants the war to end.
So let's be honest about this relationship. You find flaws, we fix them. You keep doing what you do, we keep doing what we do. The ecosystem needs both sides.
Our Philosophy
We're not trying to "eradicate" hackers. We're trying to build better defenses. If you can break our stuff, that's valuable intelligence. We'd rather learn from you than pretend you don't exist.
"We don't need them to exist, we exist because we like learning, learning what we are not supposed to learn." - Phrack 64
How This Actually Works
You drop us a line
info@neosecurity.nl - we'll confirm receipt within 24h (probably faster)
We validate your findings
Is it real? Can we reproduce? What's the blast radius?
We fix the damn thing
Patch, test, deploy. No corporate bureaucracy nonsense.
Coordinated disclosure
Public advisory with props to you (if you want them)
Rules of Engagement
Things we're cool with
- →Use info@neosecurity.nl with PGP if you're paranoid (we get it)
- →Give us clear reproduction steps - we're not mind readers
- →Give us reasonable time to fix (90 days is industry standard)
- →Keep it quiet until we coordinate disclosure
- →Test on your own stuff or with explicit permission
Things that'll piss us off
- ×Access other people's data - that's not research, that's being a dick
- ×Social engineer our people - they're just trying to do their jobs
- ×Physical attacks without explicit permission - we have cameras
- ×DDoS us - bandwidth costs money and proves nothing
- ×0-day dump on Twitter before we can fix - that's just reckless
What We Actually Care About
High Impact Stuff
- Remote Code Execution (the holy grail)
- SQL Injection (still a classic)
- XSS that actually matters
- Auth bypass (ouch)
- Sensitive data exposure
- SSRF with actual impact
- XXE that does damage
- IDOR that matters
Low Signal Noise
- Clickjacking on non-sensitive pages (meh)
- Missing headers without demonstrated impact (we know, we know)
- Error messages that don't leak data
- Brute force (rate limiting exists for a reason)
- Self-XSS (seriously?)
- Spam/phishing attempts (not cool)
Scope: All *.neosecurity.nl subdomains are fair game. Third-party services and customer environments are obviously off-limits. Use common sense.
Hall of Fame
Props to the researchers who've helped us build better defenses. If you want credit, we'll add you here. If you prefer to stay in the shadows, that's cool too.
Security Researchers
The list is growing. Want to be on it? Find something interesting and let us know.
Legal Safe Harbor
If you follow these guidelines, we won't come after you legally. Simple as that.
- Act in good faith according to this policy
- Don't cause damage to our systems or data
- Keep things confidential until coordinated disclosure
- Stop testing once you've found something
We won't file charges under computer crime laws if you stick to these rules. We're not interested in making enemies - we want to make our stuff more secure.
Ready to drop some knowledge?
Found something? Want to report it? Want to just chat about security? We're here for it. No corporate gatekeepers, no endless forms.
Security findings:
info@neosecurity.nlPGP key available on request for the paranoid (we get it)
glhf, keep your tricks, we'll keep ours 👾