"SonarLint for VSCode" and “SonarLint for PyCharm” Security questions


I am with the security team of my corporation and I am currently assessing your products “SonarLint for VSCode” and “SonarLint for PyCharm” from a security perspective to ensure that it meets our security requirements before we approve its purchase and/or use. I have a few question that I could not find answers for in your public information.

  1. Is your product Opensource?
  2. Is your product licensed and if so what is the general associated cost?
  3. Do you sell user data?
  4. Do you share data with third parties?
  5. Do you mine data to improve the product / service?
  6. Do you share data with advertisers?
  7. Have your reported a significant breach in the last five years?
  8. Do you retain customer data at the termination of the contract?
  9. Are you PCI compliant?
  10. Are you GDPR compliant?
  11. Are you Privacy Shield compliant?
  12. Are you or are you perusing SOC2 compliance?
  13. Are you ISO 27001 certified?
  14. Are you CMMI certified?
  15. Do you have a bug bounty program?
  16. Do you retain all data in North America and/or Europe or offer an option to?
  17. Do you maintain a regular patch cycle for considered product / service?
  18. Do you maintain an infrastructure that physically or logically segments customer data?
  19. Are your application development and support staff located in non-hostile countries to the U.S.?
  20. Do you offer multi factor authentication?
  21. Do you encrypt all client data at rest?
  22. Do you have a dedicated security team?
  23. Have you implemented redundancy or high availability features for critical functions?

Thanks in advance for the information. This will help me greatly in assessing your product for my organization.


Welcome to the community!

As you’ll see from the SonarLint.org site, SonarLint is FLOSS software. In fact, you might want to look over the site, several of your questions can be answered there. But some cannot. Here are answers to some of the more relevant questions…

We don’t collect user data, so there’s nothing to share or sell. We do send a ping home on a regular basis with some non-PII data so we can gauge usage.

SonarSource received finalized ISO 27001 certification only this week.

There is no bug bounty, but we do release regularly and there is a dedicated security team.


1 Like