Follow this policy if you found a vulnerability in sonar-tools and you want to responsibly report it. Please report by sending an email to [email protected]. Please don't open an issue about it since issues are public.

What I need from you:

Detail the steps you followed that make the vulnerability exploitable. The more information you provide, the faster we can reproduce and fix the problem. Please don’t send PDF, DOC, or EXE files or reports generated by DAST products. I do accept images. Focus areas:

• Command Injection
• Path traversal
• SQL injection (SQLi)
• Remote code execution (RCE)
• Data breaches.

sonar-tools is an non profit open source project and therefore has no budget. If you accept it, we’ll put you in the Hall of Fame section of this guide under the name or nickname of your choice.

Public disclosure

You need to get my permission before disclosing an issue publicly. We’ll only consider your public disclosure request after we’ve fixed the reported vulnerability.

No vulnerabilities reported so far.