Vulnerability disclosure policy

Last updated: May 15, 2026

Contact

Send vulnerability reports to info@neovail.com. Include affected URLs, reproduction steps, impact, and any relevant screenshots or logs. Do not include sensitive third-party data.

Scope

In scope: the public NeoVail marketing website at neovail.com and www.neovail.com after launch. Product control planes, customer environments, third-party services, and social engineering are out of scope unless NeoVail expressly authorizes testing.

Rules of engagement

Do not access, modify, delete, or exfiltrate data that is not yours. Do not degrade service availability, run destructive tests, use phishing or social engineering, or test physical security. Stop testing and report promptly if you encounter sensitive data.

Safe-harbor intent

NeoVail intends not to pursue legal action for good-faith research that complies with this policy, avoids privacy harm and service disruption, and is reported promptly. This statement is not a waiver of legal rights and should be reviewed by counsel before launch.

Response targets

NeoVail aims to acknowledge valid reports within five business days and provide a remediation status update within thirty days. These targets may change as the security program matures.