| Version | Supported |
|---|---|
| v1.6.x-alpha | Yes |
| v1.5.x-alpha | Security fixes only |
| < v1.5.0-alpha | No |
Please do not report security vulnerabilities through public GitHub issues.
Instead, report them via GitHub Security Advisories.
Include as much of the following as you can:
- Description of the vulnerability
- Steps to reproduce or proof of concept
- Affected versions
- Impact assessment (what an attacker could achieve)
- Any suggested fix (optional)
- Acknowledgement within 3 business days
- Initial assessment within 7 business days
- Fix timeline communicated after assessment — critical vulnerabilities are prioritized for the next patch release
- Credit in the release notes (unless you prefer to remain anonymous)
The following are in scope:
- Neo4j Kubernetes Operator code (
internal/,cmd/,api/) - Helm chart templates (
charts/neo4j-operator/) - OLM bundle manifests (
bundle/) - CI/CD workflows (
.github/workflows/) - Container images published to
ghcr.io/neo4j-partners/neo4j-kubernetes-operator
The following are out of scope:
- Neo4j database server itself (report to Neo4j Security)
- Third-party dependencies (report upstream, but let us know if it affects this operator)
- Infrastructure hosting the repository (report to GitHub)
See the Security Guide for recommendations on deploying Neo4j securely with this operator, including TLS, authentication, network policies, and encryption at rest.