We are considering purchasing SonarCloud’s services for our organization, but have some questions about the security policy that are not answered on the posted security statement. Any information would be greatly appreciated:
- How often does SonarCloud update their running instances of SonarSource in response to a new release, especially in regards to vulnerabilities of various risk levels?
- Who provides the third party penetration testing service that SonarCloud utilizes? Precisely how often is this scanning conducted?
- Has SonarCloud ever been significantly breached, (if so, when)? (I couldn’t find any articles posted anywhere)
- If SonarCloud/SonarSource were breached, when would the breach be disclosed?
- Does SonarCloud maintain data breach insurance? If so, does this include third parties?
- What happens to our data at the end of the service contract?