Security Policy
Reporting a vulnerability. If you believe you have found a security vulnerability in NeuroTrack — in the iOS / Android app or on neuro-track.com — please email access@neuro-track.com. NeuroTrack is built and maintained by two developers; coordinated disclosure is appreciated, and we'll route reports between us. Please give us a reasonable window to respond before publishing.
What to include. A short description of the issue, the platform and version, exact steps to reproduce, and what you believe an attacker could achieve. Proof-of-concept code is welcome but not required. Avoid sending real personal health data — synthetic data is preferred.
What you can expect. Acknowledgement within 7 days. Substantive update within 30 days. Where possible, credit in the release notes (with your permission).
Safe-harbor. Good-faith security research that respects user privacy and applicable law will not be referred for legal action. Do not access, modify, or exfiltrate other users' data — NeuroTrack is on-device-only, so there are no "other users" to test against. Do not run denial-of-service or social-engineering tests against the website.
Bounty. There is no monetary bug-bounty program. We will credit researchers and, where the report leads to a substantive fix, send a personal thank-you.
security.txt. A machine-readable contact record is published at https://neuro-track.com/.well-known/security.txt per RFC 9116.
Threat model and known limitations are documented in the project's internal docs/security.md. Highlights are summarized in the Privacy Policy.
Contact. access@neuro-track.com