Report a Security Vulnerability

Sonatype’s Bug Bounty Program

Report security issues for a potential reward. Rewards are based on the severity of the finding and its impact on the organization. Even though a report may not be bountiful, it may still qualify for company swag. Let’s work together to help secure Sonatype’s products and services while earning some extra cash and/or swag!

pink-icon-alert@4x 1

Check Before You Submit
Before submitting a report, please first check Important advisories of known security vulnerabilities in Sonatype products to see if this has been previously reported. Duplicate reports for the same vulnerability will be deleted.

pink-icon-alert@4x 1

Check Before You Submit
Before submitting a report, please first check Important advisories of known security vulnerabilities in Sonatype products to see if this has been previously reported. Duplicate reports for the same vulnerability will be deleted.

How to Report a Vulnerability

Sonatype utilizes the HackerOne platform for the Bug Bounty Program. If you do not have an HackerOne account, please send an email to security@sonatype.com to receive an invitation.

IMPORTANT: Before requesting entry to our bounty program, please ensure that you have setup a HackerOne account with both valid country and tax information filled out - Tax Forms | HackerOne Help Center

Prior to reporting, please review the program's policy for SLAs, program rules, in and out of scope vulnerabilities/applications, and bounty eligibility.

Please follow the platform's workflow to submit the report, provide comments/feedback, upload any supporting documentation, images, and/or videos.

Report Anonymously

Your submission will be reviewed by the HackerOne Triage team within 1 - 2 business days. Once triaged, Sonatype will validate the finding and you'll receive a more detailed response and potential rewards within the platform within 14 business days. Remediation of the finding will depend on the severity and complexity. We’ll try to keep you informed about our progress throughout the process.

We ask that everyone please follow responsible disclosure practices and allow time for us to release a fix prior to public release.