We take the security of EMQX Neuron and NeuronEX seriously and appreciate the efforts of security researchers who help keep our users safe.
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests. Public disclosure before a fix is available puts users at risk.
Instead, report privately through GitHub's Private Vulnerability Reporting:
- Go to the Security tab of this repository.
- Click Report a vulnerability.
- Fill in the advisory form with the details below.
This opens a private channel visible only to the maintainers.
A good report helps us triage quickly. Where possible, please provide:
- The affected product and version(s) (e.g. Neuron 2.15.0, NeuronEX 3.9.0), and the commit or image digest you tested.
- The component / code path (file and function, if known).
- A clear description of the vulnerability and its impact.
- Step-by-step reproduction instructions, a proof-of-concept, or the exact payloads. A reproduction package is welcome.
- The exact configuration required to trigger it (network binding, TLS mode, broker setup, plugins/nodes configured, etc.), and any conditions under which the issue does not occur.
- Your assessment of severity, if you have one (e.g. a CVSS vector).
Security fixes are provided for the active release tracks. Older versions should be upgraded to a fixed release.
| Product | Supported tracks |
|---|---|
| EMQX Neuron | 2.12.x, 2.13.x, 2.14.x, 2.15.x |
| EMQX NeuronEX | 3.6.x, 3.7.x, 3.8.x, 3.9.x |
- Acknowledgement — we aim to acknowledge your report within a few business days.
- Assessment — we validate the issue and assess severity (CVSS for the published advisory, plus our internal reward tiering where applicable).
- Fix — we develop and backport the fix across the affected supported tracks.
- Advisory & CVE — we publish a GitHub Security Advisory (GHSA) and request a CVE identifier.
- Disclosure — to give users time to upgrade, we generally publish the advisory 90 days after the fixed releases are available. We are happy to coordinate the disclosure timeline with you.
- Credit — we credit reporters in the advisory by their preferred name or GitHub handle, unless you prefer to remain anonymous.
Vulnerabilities in the Neuron / NeuronEX code and its official plugins are in scope. When assessing impact we consider the intended deployment model (for example, control-plane and broker interfaces are typically deployed on private, trusted networks); please describe the exposure your report assumes.
Thank you for helping make the Neuron ecosystem safer.