Dedicated security contact for organizations

SonarQube Cloud Announcements
,
1

Hello everyone,

Effective communication is the backbone of a strong security posture. When it comes to the security of your SonarQube Cloud service - specifically critical incident alerts or service-level vulnerability disclosures - ensuring the right information reaches the right team instantly is paramount.

To provide more precision in how we reach you, we’ve introduced the dedicated security contact email field.

Previously, service notifications defaulted to the organization’s initial creator. As organizations scale and teams evolve, this new feature allows you to decouple administrative ownership from security oversight. By establishing a persistent, dedicated channel, you ensure that important security updates from Sonar land exactly where they need to: with your security experts.

What’s new?

  • Dedicated security routing: A specific, persistent contact point reserved for urgent, service-level security communications.
  • Built for continuity: We highly encourage using a distribution list (e.g., security-ops@yourcompany.com). This ensures your organization remains reachable and responsive, regardless of individual team changes or transitions.
  • Enhanced visibility: To help with internal auditing, the UI now shows who last updated the contact information and when. The page itself is only visible to Organization Admins.
  • Available to all: This feature is live for all SonarQube Cloud plans to ensure every organization has a reliable line of communication.

Where to find it

Navigate to your Organization page, and head to Administration > Organization Settings > Security contact. You’ll find the new security contact field ready for your input.

Screenshot 2026-01-23 at 13.20.04
Screenshot 2026-01-23 at 13.20.042688×1722 416 KB

This email address is stored as an administrative contact only, and is strictly for critical, time-sensitive security events (e.g., service-level vulnerabilities affecting SonarQube Cloud or urgent incident response communications). It will not be added to marketing lists, sales outreach, or routine newsletter distributions.

Let us know your thoughts on this change in the comments below!

-Simone

P.S.: Want to chat about your security and project management needs? Feel free to book a call with me (a Product Manager) to share more about your use cases: Calendar Booking Link

3 Likes