One in Six Developers in Healthcare Report Open Source Breaches | Press Release

Central Security Project

Expedited vulnerability assignment for the Central Repository

Report Vulnerabilities


Report vulnerabilities, get feedback and see disclosed vulnerabilities by ecosystem on a single platform.

Issue Resolution

Quickly resolve issues

Get issue resolution in record time through the Central Security Project's fast track process. 

Keep Score

Keep score 

Track reported issues by status, get credit for your work and boost your reputation.

Sonatype and HackerOne - Press Release

How it Works

Expedited security research meets the
industry leading vulnerability reporting platform

From the early contributions to the Apache Maven project to the OSSIndex, the Central Security Project continues Sonatype's long history of supporting the developer and research communities with tools to help them secure their open source software supply chains. 

The Central Security Project is a partnership between Sonatype and HackerOne. Bringing Sonatype's superior data research capabilities together with HackerOne's unique reporting platform, we are simplifying the vulnerability reporting process and allowing developers and security researchers to resolve issues faster than ever.

HackerOne was started by security leaders who are driven by a passion to make the internet safer. Their platform is the industry standard and they partner with the global hacker community to surface the most relevant security issues before they can be exploited by criminals.

Sonatype provides access to a team of over 65 Data Security Research Analysts and the largest collection of curated vulnerability data in a single database. 

Combining our strengths provides the developer and research communities with the power to accelerate vulnerability fixes and a peaceful resolution to a frustrating problem.

Central Security Project + HackerOne = reducing the open source code risk worldwide. 

Traditional Reporting
Central Security Project
Traditional Reporting: Manual reporting plagues developers as they struggle with who to contact or unresponsive projects.
Central Security Project: Developers can easily add a vulnerability in full detail without having to contact the project team.

Traditional Reporting: Unsure of proper disclosure time or reporting requirements, developers don't know how to proceed.
Central Security Project: Developers and researchers have access to a unified platform with detailed issue reporting requirements. Reporters get feedback on, and credit for their contribution.

Traditional Reporting: Resolution is slow and the developer's code may be vulnerable.
Central Security Project: Vulnerabilities are confirmed by the Sonatype Data Security Research Team and fast tracked for quick resolution.

Traditional Reporting: The administrative process for officially registering an issue is cumbersome.
Central Security Project: As a Certified CNA, HackerOne will facilitate obtaining the CVE.

Help the community!