Follow this guide if you’ve found a vulnerability in one of Sonar’s products or websites and you want to responsibly report it.
Sonar customers with a support contract can report the vulnerability directly through the support channel.
Otherwise, send an email to security@sonarsource.com.
What we need from you:
- Detail the steps you followed that make the vulnerability exploitable including any URLs or code you used. The more information you provide, the faster we can reproduce and fix the problem.
- Please don’t send PDF, DOC, or EXE files or reports generated by DAST products. We will not look at them. We do accept images.
Focus areas:
- Cross-site scripting (XSS)
- SQL injection (SQLi)
- Cross-site request forgery (CSRF)
- Remote code execution (RCE)
- Cookies not used for authentication or CSRF protection, not being marked as Secure or HTTPOnly
- Data breaches, such as data of private projects or private organizations on SonarQube Cloud.
How SonarSource rewards you?
It’s in our plans, but we don’t have a bug bounty program currently. Instead, if you accept it, we’ll put you in the Hall of Fame section of this guide under the name or nickname of your choice.
Public disclosure
You need to get our permission before disclosing an issue publicly. We’ll only consider your public disclosure request after we’ve fixed the reported vulnerability.
Hall of Fame
Thank you all for having reported vulnerabilities privately, you rock!
- Francois Lajeunesse-Robert
- Ethiack
- Moti Harmats and Sharon Brizinov
- NH Limon
- Sujal Tuladhar and Pradip Bhattarai
- Ali Haider
- Nils Jannasch
- Clément Amic and Hugo Vincent
- Dhane Ashley Diabajo
- Nikolas Sotiriu
- Wesley Kirkland
- Sebastien Copin
- Gia. Bui Dai
- dcRUSTy
- Vaibhav Atkale
- Armanul Miraz
- Harsh D Ranjan
- Saurabh Siddharam Sanmane
- Alisha Sheikh
- Keitaro Yamazaki
- Pritam Mukherjee
- Amiya Behera
- Avishek Nayal
- SureshkumarAnbazhagan
- Suhas Sainathan
- Hassan Shahid
- Umesh P Jore
- Rayen Messaoudi
- Pethuraj M
- Vault Infosec