Report a Security Vulnerability
Sonatype’s Bug Bounty Program
Report security issues for a potential reward. Rewards are based on the severity of the finding and its impact on the organization. Let’s work together to help secure Sonatype’s products and services while earning some extra cash!
Check Before You Submit
Before submitting a report, please first check Important advisories of known security vulnerabilities in Sonatype products to see if this has been previously reported. Duplicate reports for the same vulnerability will be deleted.
How to Report a Vulnerability
Sonatype operates a private bug bounty program through HackerOne.
The recommended way to report a vulnerability is to request an invitation to our private HackerOne program before submitting your report. To request an invitation, please email security@sonatype.com.
Submitting through the private program helps ensure that you can review the program policy before reporting, including program rules, eligible targets, in-scope and out-of-scope vulnerability types, bounty eligibility, and communication expectations. It also allows you to track the status of your report and communicate with HackerOne Triage and Sonatype’s security team through the HackerOne platform.
If you do not already have a HackerOne account, you will need to create one before participating in the private program. Before requesting an invitation, please ensure your HackerOne account profile is complete, including valid country and tax information. For more information, see HackerOne’s guidance on tax forms: Tax Forms | HackerOne Help Center
If you prefer not to create or use a HackerOne account, you may submit a vulnerability report anonymously using the reporting form linked on this page. Please note that anonymous submissions may be more difficult for us to validate or follow up on, may not allow you to view the private program policy before submitting, and may not provide a way to track the status of your report.
When submitting a report, please include sufficient detail to help us understand, reproduce, and validate the issue. Useful information may include affected products or services, reproduction steps, impact, proof-of-concept code, screenshots, logs, images, or videos where appropriate.
Reports submitted through HackerOne will be reviewed by HackerOne Triage and Sonatype’s security team. We will communicate through the HackerOne platform where possible as we evaluate the report, determine impact, and take appropriate action.
We appreciate researchers who follow coordinated vulnerability disclosure practices and work with us in good faith to help protect Sonatype customers and the broader software ecosystem.
