Responsible Disclosure

About This Program

NEO Cyber Camp is a cybersecurity training startup. We build hands-on labs, courses, and a cyber range platform used by students and organizations across Europe. Security is at the core of what we do — and we practice what we teach.

We believe the security community plays a vital role in keeping the internet safe. If you've found a vulnerability in one of our systems, we want to hear about it.

Scope

The following domains and services are in scope:

• neocc.co — NEO Cyber Camp website
• app.neocc.co — Training platform
• range.neocc.co — Cyber range platform
• rangebyneo.co — Range by NEO website

This includes all subdomains and APIs served by these domains.

In-Scope Vulnerabilities

We are interested in reports covering (but not limited to):

• Cross-Site Scripting (XSS)
• SQL Injection (SQLi)
• Authentication and authorization bypass
• Insecure Direct Object References (IDOR)
• Cross-Site Request Forgery (CSRF)
• Remote Code Execution (RCE)
• Server-Side Request Forgery (SSRF)
• Sensitive data exposure
• Security misconfigurations

Out of Scope

The following are not eligible for this program:

• Denial of Service (DoS/DDoS) attacks
• Social engineering or phishing of NEO staff or users
• Physical security attacks
• Spam or content injection without security impact
• Rate limiting or brute force issues without demonstrated bypass
• Vulnerabilities in third-party services we don't control
• Issues that require physical access to a device
• Known issues already being addressed
• Student lab environments — these are intentionally vulnerable for training purposes

Rules of Engagement

• Do not access, modify, or delete other users' data
• Do not disrupt our services or degrade the experience of other users
• Do not publicly disclose a vulnerability before we've had a chance to fix it
• Act in good faith — test only what is necessary to demonstrate the issue
• Use your own test accounts where possible

How to Report

Send your findings to: [security@neocc.co](mailto:security@neocc.co)

Please include:

• A clear description of the vulnerability
• Steps to reproduce (as detailed as possible)
• The affected URL, endpoint, or component
• Your assessment of the potential impact
• Screenshots or proof-of-concept if available

Encrypt sensitive reports using our PGP key (available on request).

Response Timeline

• Acknowledgment: Within 24 hours
• Initial assessment: Within 72 hours
• Status updates: At least every 7 days while we work on a fix
• Coordinated disclosure: 90-day window from initial report

Rewards

We're a small team and can't offer cash bounties right now. But we deeply value the security community's help and we recognize every valid contribution:

• Hall of Fame: Your name (or handle) listed on this page
• Social shoutout: A public thank-you on our LinkedIn and X (Twitter) channels
• Our gratitude: A personal thank-you from our team

As we grow, so will this program. We're committed to building a proper bug bounty program over time.

Safe Harbor

We will not pursue legal action against security researchers who:

• Act in good faith and within the scope of this policy
• Report vulnerabilities through the channel described above
• Do not exploit vulnerabilities beyond what is necessary for demonstration
• Do not violate the privacy of our users

We consider security research conducted under this policy to be authorized and will not initiate legal claims for accidental, good-faith violations.

Hall of Fame

We gratefully acknowledge the following security researchers for their responsible disclosures:

Be the first to report a vulnerability and earn your place here.

---

Last updated: February 2026