Neos takes the security of its products and services seriously. If you believe you've found a security issue or problem with Neos then please report it to us as described below.
Generally the following types of issues are things that we are looking for:
- Personal Data / Information Gathering
- See our notes below on Private Data
- Currency Theft / Manipulation
- Gaining Access to a User's Computer / Privilege Escalation
- Neos Cloud Issues etc.
- Permission System breaches and bypasses
- Avatar, World and Object Stealing & Ripping
- As defined in the Neos Guidelines
- Intentional Neos Crashes & World Crashes*
* Given the Beta nature of Neos, crashes are quite common; we usually will not award a bounty for crashes. We still, however, want to hear about them so please report them. See Issue Bounties for more information.
This is not an exhaustive list and you should use your best judgement when making a report. If an issue bothers you please consider reporting it. We would rather know about an issue then not.
Never report security issues through public means such as:
- GitHub Issues
- The Neos Discord
- Conversations in Public Neos Sessions
- Twitter and Other Social Media
Please open a security report on our Moderation Ticket system by using the "Report an Exploit" option.
When submitting a report please ensure you include as much information as possible. Good examples of things to include are:
- What you've found?
- How did you find it?
- How serious do you think it is?
- If any other users witnessed the discovery or are aware of it.
- Logs
- Replication Steps
- Screenshots
- Videos
- A link or URL to a replication item.
- Any workarounds you've found to protect/prevent the issue
You should also indicate if you'd like to opt out of being credited for this report / discovery. When we resolve issues we may credit you in the change logs unless you opt out. Opting out will not affect your ability to receive a reward.
These guidelines are not intended to supersede or to overrule the general Neos Guidelines but are designed to give you some additional guidance in the area of security issues.
- We will not ban or apply any account restriction against you for reporting security issues. Reporting issues is the right thing to do and we want to encourage you to do this.
- If you require other users or their data to help you reproduce an issue, ensure that you get consent from them before proceeding.
- Do not publicly disclose/share or encourage the use of issues that you find and/or report. This includes:
- Demonstrating the issue to users.
- "showing off" or advertising etc the issue.
- Instilling fear in the community regarding an issue.
- Discussing the details/description of the issue with users who are not a part of your security researching group/team.
- Additionally, using/demonstrating an issue in public with the goals of harassing, disrupting or scaring users may lead to account restrictions under our harassment guidelines.
- Avoid testing, reproducing or investigating issues in public sessions or sessions in which you are not the host.
- Once an issue has been resolved you may discuss the issue publicly if you would like.
- When doing this remember to follow all other Neos guidelines and to keep commentary professional and respectful of Neos and its community.
- Don't brag or boast about the issue.
When reporting an issue you may discover a workaround or protection that mitigates an issue. Ensure that this is included in your report. In our response to your report we may discuss the suitability of your workaround. After this discussion and depending on the severity, Neos may communicate the issue and the workaround publicly in order to protect its userbase until the issue is resolved.
Informing or suggesting other users apply an unsuitable workaround that gives them a false sense of security is not advisable. Therefore, until the workaround has been discussed and deemed suitable with the Neos team, please do not talk to other users about the workaround. If the workaround is suitable, feel free to suggest the workaround to other users. Do keep in mind when doing this that your goal should never be to instill fear or uncertainty into a user. Don't scare them into applying something.
For historical reports, if you have a workaround, for a previously reported issue. Please reply to your original report, or open a new report to discuss it.
Due to Neos' Peer to Peer infrastructure for sessions and flexibility/openness in terms of "in Neos" development, it can be unclear what we class as private data.
To clarify this a little, a list of common data that we do NOT consider private is listed below:
- Username
- User ID
- Machine ID
- IP Address
- Steam ID
- Used with Steam Networking Sockets and Rich Presence
- Discord ID
- Used with Discord Rich Presence
Although this information is not considered private, using or acquiring it in a way which breaches any other Neos Guidelines may still lead to account restrictions.
Once a report has been submitted to our ticket system you should receive the following responses:
- Acknowledgement - A response from our ticket system should let you know that we've received your ticket.
- Further Responses - A Neos Representative may reach out with some additional questions or clarifications to help us to triage and work on your issue.
- Please work with this representative in providing as much information as you can and answering their questions.
- Working with Neos on your issue will help us reproduce it and fix it sooner.
- Resolution - After the issue is resolved you will receive an additional message acknowledging that this issue is resolved.
Security reports are only reviewed by essential personnel:
We have an example report which was submitted by the community and lead to a fix. It has been anonymized and presented to you to provide an example of what we're looking for.
When reporting issues to Neos, we may give out rewards or incentives for reporting security issues. The rewards are in the form of CDFT(Community Developer Fund Token) which you can read more about on our Neos Whitepaper.
We've decided to reward in CDFT as this allows us to provide rewards that will grow as Neos does. When the price of NCR increases with Neos so will the real world value of your reward. This allows us to provide much larger rewards when you consider their long term value.
The amount of CDFT awarded, will vary depending on a number of factors including(but not limited to):
- Severity of Issue
- Complexity of the Issue
- Quality of Report
Additionally, a reward may not be issued in all cases. Some reasons that may cause a reward to not be issued are:
- Invalid Issues
- Issues that have the same root cause as a previous issue.
- Issues that have been previously reported by another user.
- Issues that the Neos Team is aware of and plan to cover as a part of larger roadmapped items.
- Issues that are not classified as Security related or Exploitable.
- Issues that are submitted anonymously.
- If you'd like an award but would like to remain publicly anonymous you can opt out of being credited with the discovery of an issue. When reporting the issue ensure that you include your name and the desire to remain publicly anonymous.
In all cases the Neos Team will discuss and deliberate what a suitable reward if any for a particular issue may be. Based on the consensus the reward will then be issued. A decision may take some time to reach. Do not expect an instant decision.
It is important to remember that this reward is an incentive and reward for your reports, it is not intended to be a competition, race or to provide a salary. We may change, update, remove or add to this bounty at any time.
Any conduct relating to this program which breaches the regular Neos Guidelines may result in a forfeiture of any rewards and a potential exclusion from reward considerations in the future.
After deliberation and discussion with the Neos Team, a choice to reward a bounty may result in an award that is between 5000 and 10000 CDFT. A reward is not guaranteed.
Multiple issues that are reported may also strengthen your regular application for CDFT should you have one.
Please do not submit a CDFT application for each report made and please do not submit an application just for your security reporting activities.
Should you be working as a group or as a team, please indicate this in your original report. In the event of a reward we will contact you so that your group/team can decide how to split the rewards.
If you have previously made reports, we will not be retroactively giving out rewards for these reports.
In these cases, we do encourage you to submit a regular CDFT Application if you do not already have an active one. Your historical security reports and current activity may be factored in to strengthen your application.
Please do not submit a CDFT application for each report made and please do not submit an application just for your security reporting activities.
See our Mod & Plugin Policy