Safety Company News
Get Workers

Responsible Disclosure

We value the work of security researchers and welcome reports that help us protect our systems, models, and users. Last updated April 1, 2026.

1. Overview

Neuraphic, Inc. ("Neuraphic," "we," "us," or "our") is committed to the security and safety of our products, services, and users. We recognize that independent security researchers play a vital role in identifying vulnerabilities and helping us maintain the integrity of our systems.

This Responsible Disclosure policy describes how to report security vulnerabilities to us, what to expect during the process, and the protections we offer to researchers who act in good faith. We encourage responsible reporting of any vulnerability that could affect the security or safety of our Services, our users, or the public.

2. Scope

This policy applies to vulnerabilities found in the following Neuraphic systems and services:

Web applications. All Neuraphic-operated websites and web applications, including the console, account management portals, documentation sites, and marketing pages hosted on neuraphic.com and its subdomains.

APIs. All Neuraphic API endpoints, including the Prion, Claeth, and Workers APIs, authentication endpoints, and developer-facing services.

Infrastructure. Neuraphic's cloud infrastructure, networking, and backend systems to the extent that vulnerabilities can be identified without violating the guidelines in this policy.

AI models. Vulnerabilities in the behavior of Neuraphic's AI models, including safety bypasses, alignment failures, harmful outputs, and other behaviors that deviate from intended model behavior. Model safety issues should be reported to the dedicated channel described in Section 9.

3. Out of Scope

The following activities and findings are outside the scope of this policy and should not be pursued or reported under this program:

Social engineering attacks against Neuraphic employees, contractors, or partners, including phishing, pretexting, or any form of deception directed at our personnel. Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks against Neuraphic systems. Physical attacks against Neuraphic offices, data centers, or equipment. Vulnerabilities in systems or services operated by third parties, even if they integrate with Neuraphic Services. Automated scanning or testing that generates significant traffic volumes or could degrade service availability. Findings from testing conducted in violation of the researcher guidelines described in Section 8.

4. How to Report

Security vulnerabilities should be reported via email to [email protected]. We encourage researchers to encrypt their reports using our PGP key, which is available at neuraphic.com/.well-known/security.txt.

If you are reporting an AI or model safety issue (such as a jailbreak, harmful output, or safety bypass), please use the dedicated channel described in Section 9 instead.

5. What to Include

To help us evaluate and respond to your report efficiently, please include the following information:

Description. A clear, detailed description of the vulnerability, including the affected system, component, or endpoint.

Steps to reproduce. Step-by-step instructions for reproducing the vulnerability, including any tools, scripts, payloads, or configurations used. Proof-of-concept code or screenshots are highly encouraged.

Impact assessment. Your assessment of the potential impact of the vulnerability, including the type of data or systems at risk and the severity of the potential harm.

Environment details. Relevant information about the testing environment, including browser, operating system, API client, or other tools used during testing.

Your contact information. A way for us to reach you for follow-up questions or status updates. We will treat your identity as confidential unless you authorize us to disclose it.

6. Response Timeline

We are committed to responding to vulnerability reports promptly and transparently. Our target response timeline is as follows:

Acknowledgment. We will acknowledge receipt of your report within three (3) business days.

Triage. We will complete an initial assessment of the reported vulnerability within ten (10) business days of acknowledgment. During triage, we will determine the severity, scope, and priority of the issue and communicate our initial findings to you.

Remediation. The timeline for remediation will depend on the severity and complexity of the vulnerability. We will keep you informed of our progress and provide estimated timelines for resolution.

Disclosure window. We ask that researchers allow us a disclosure window of ninety (90) days from the date of the initial report before publicly disclosing the vulnerability. If we are unable to remediate the issue within this window, we will work with you to agree on an appropriate disclosure timeline that balances the need for public awareness with the need to protect users.

7. Safe Harbor

Neuraphic will not pursue legal action against researchers who discover and report security vulnerabilities in good faith and in compliance with this policy. Specifically:

We will not initiate or support legal proceedings, including claims under the Computer Fraud and Abuse Act (CFAA), the Digital Millennium Copyright Act (DMCA), equivalent state computer crime statutes, or analogous laws in other jurisdictions, against researchers who conduct testing in accordance with the guidelines in this policy.

We consider good-faith security research conducted in compliance with this policy to be authorized activity. We will not treat it as unauthorized access or a violation of our Terms of Service or Acceptable Use Policy. Neuraphic hereby authorizes security researchers to access and test the systems described in the Scope section in accordance with this policy. Such authorized access shall not constitute a violation of our Terms of Service, Acceptable Use Policy, or any other Neuraphic policy or agreement.

If a third party initiates legal proceedings against you for activities that were conducted in accordance with this policy, we will take reasonable steps to make it known that your actions were authorized by us and conducted in compliance with our responsible disclosure program.

This safe harbor applies only to research conducted in compliance with all provisions of this policy, including the researcher guidelines in Section 8. Activities that do not comply with this policy may not be covered by this safe harbor.

8. Researcher Guidelines

To qualify for safe harbor protections and to ensure that your research does not cause harm, please adhere to the following guidelines:

Do no harm. Do not destroy, corrupt, or exfiltrate data. Do not modify or delete data belonging to Neuraphic or our users. If you accidentally access data belonging to other users, stop immediately and report the issue without retaining, copying, or disclosing the data.

Minimize impact. Conduct testing in a manner that minimizes disruption to our Services and our users. Do not perform testing that could degrade service availability or performance for other users. Use the minimum level of access and the minimum number of requests necessary to demonstrate the vulnerability.

Respect privacy. Do not access, collect, or store data belonging to other users. If a vulnerability exposes user data, report it immediately and do not access more data than is necessary to demonstrate the vulnerability.

Act in good faith. Report vulnerabilities promptly and do not use them for personal gain, extortion, or any purpose other than improving the security of our systems. Do not publicly disclose a vulnerability before we have had a reasonable opportunity to address it.

Stay in scope. Only test systems and services that are within the scope described in Section 2. Do not test systems that are explicitly out of scope as described in Section 3.

9. AI and Model Safety Issues

We maintain a dedicated channel for reporting issues related to the safety and behavior of our AI models. If you have discovered a jailbreak, safety bypass, harmful output pattern, alignment failure, or any other model behavior that could pose a risk to users or the public, please report it to [email protected].

AI and model safety reports are handled by our safety team and are subject to the same response timelines, safe harbor protections, and researcher guidelines described in this policy. We are particularly interested in reports that identify systematic patterns of harmful behavior, novel attack vectors against model safety systems, or vulnerabilities that could be exploited at scale.

When reporting model safety issues, please include the specific model or API version affected, the exact prompts or inputs used to trigger the behavior, the outputs generated, and your assessment of the potential harm.

10. Recognition

We believe in recognizing the contributions of security researchers who help us improve our systems. With your permission, we will acknowledge your contribution on our security acknowledgments page. We will credit you by name or by a handle of your choosing.

We evaluate all valid reports for their severity, quality, and impact. Neuraphic may, at its sole discretion, offer monetary rewards for particularly significant or impactful findings, though participation in this program does not guarantee financial compensation.

11. Contact

For security vulnerability reports: [email protected]

For AI and model safety reports: [email protected]

Neuraphic, Inc.
A Delaware C Corporation
United States of America