|
| 1 | +<!-- |
| 2 | +
|
| 3 | + Copyright (c) 2011-present Sonatype, Inc. All rights reserved. |
| 4 | + Includes the third-party code listed at http://links.sonatype.com/products/clm/attributions. |
| 5 | + "Sonatype" is a trademark of Sonatype, Inc. |
| 6 | +
|
| 7 | +--> |
| 8 | + |
| 9 | +# Reporting Security Vulnerabilities |
| 10 | + |
| 11 | +## When to report |
| 12 | + |
| 13 | +First check |
| 14 | +[Important advisories of known security vulnerabilities in Sonatype products](https://support.sonatype.com/hc/en-us/sections/203012668-Security-Advisories) |
| 15 | +to see if this has been previously reported. |
| 16 | + |
| 17 | +## How to report |
| 18 | + |
| 19 | +Please email reports regarding security related issues you find to [mailto:[email protected]]([email protected]). |
| 20 | + |
| 21 | +Use our public key below to keep your message safe. |
| 22 | + |
| 23 | +## What to include |
| 24 | + |
| 25 | +Please use a descriptive subject line in your email report. |
| 26 | + |
| 27 | +Your name and/or affiliation. |
| 28 | + |
| 29 | +A detailed technical description of the vulnerability, attack scenario and where |
| 30 | +possible, how we can reproduce your findings. |
| 31 | + |
| 32 | +Provide us with a secure way to respond. |
| 33 | + |
| 34 | +## What to expect |
| 35 | + |
| 36 | +Your email will be acknowledged within 1 - 2 business days, and you'll receive a |
| 37 | +more detailed response to your email within 7 business days. |
| 38 | + |
| 39 | +We ask that everyone please follow responsible disclosure practices and allow |
| 40 | +time for us to release a fix prior to public release. |
| 41 | + |
| 42 | +Once an issue is reported, Sonatype uses the following disclosure process: |
| 43 | + |
| 44 | +When a report is received, we confirm the issue and determine its severity. |
| 45 | + |
| 46 | +If third-party services or software require mitigation before publication, those |
| 47 | +projects will be notified. |
| 48 | + |
| 49 | +## Our public key |
| 50 | + |
| 51 | +```console |
| 52 | +-----BEGIN PUBLIC KEY BLOCK----- |
| 53 | +mQENBFF+a9ABCADQWSAAU7w9i71Zn3TQ6k7lT9x57cRdtX7V709oeN/c/1it+gCw |
| 54 | +onmmCyf4ypor6XcPSOasp/x0s3hVuf6YfMbI0tSwJUWWihrmoPGIXtmiSOotQE0Q |
| 55 | +Sav41xs3YyI9LzQB4ngZR/nhp4YhioD1dVorD6LGXk08rvl2ikoqHwTagbEXZJY7 |
| 56 | +3VYhW6JHbZTLwCsfyg6uaSYF1qXfUxHPOiHYKNbhK/tM3giX+9ld/7xi+9f4zEFQ |
| 57 | +eX9wcRTdgdDOAqDOK7MV30KXagSqvW0MgEYtKX6q4KjjRzBYjkiTdFW/yMXub/Bs |
| 58 | +5UckxHTCuAmvpr5J0HIUeLtXi1QCkijyn8HJABEBAAG0KVNvbmF0eXBlIFNlY3Vy |
| 59 | +aXR5IDxzZWN1cml0eUBzb25hdHlwZS5jb20+iQE4BBMBAgAiBQJRfmvQAhsDBgsJ |
| 60 | +CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAgkmxsNtgwfUzbCACLtCgieq1kJOqo |
| 61 | +2i136ND5ZOj31zIzNENLn8dhSg5zQwTHOcntWAtS8uCNq4fSlslwvlbPYWTLD7fE |
| 62 | +iJn1z7BCU8gBk+pkAJJFWEPweMVt+9bYQ4HfKceGbJeuwBBhS34SK9ZIp9gfxxfA |
| 63 | +oTm0aGYwKR5wH3sqL/mrhwKhPt9wXR4qwlE635STEX8wzJ5SBqf3ArJUtCp1rzgR |
| 64 | +Dx+DiZed5HE1pOI2Kyb6O80bm485WThPXxpvp3bfzTNYoGzeLi/F7WkmgggkXxsT |
| 65 | +Pyd0sSx0B/MO4lJtQvEBlIHDFno9mXa30fKl+rzp2geG5UxNHJUjaC5JhfWLEXEX |
| 66 | +wV0ErBsmuQENBFF+a9ABCADXj04+GLIz8VCaZH554nUHEhaKoiIXH3Tj7UiMZDqy |
| 67 | +o4WIw2RFaCQNA8T0R5Q0yxINU146JQMbA2SN59AGcGYZcajyEvTR7tLG0meMO6S0 |
| 68 | +JWpkX7s3xaC0s+5SJ/ba00oHGzW0aotgzG9BWA5OniNHK7zZKMVu7M80M/wB1RvK |
| 69 | +x775hAeJ+8F9MDJ+ijydBtaOfDdkbg+0kU1xR6Io+vVLPk38ghlWU8QFP4/B0oWi |
| 70 | +jK4xiDqK6cG7kyH9kC9nau+ckH8MrJ/RzEpsc4GRwqS4IEnvHWe7XbgydWS1bCp6 |
| 71 | +8uP5ma3d02elQmSEa+PABIPKnZcAf1YKLr9O/+IzEdOhABEBAAGJAR8EGAECAAkF |
| 72 | +AlF+a9ACGwwACgkQIJJsbDbYMH3WzAf/XOm4YQZFOgG2h9d03m8me8d1vrYico+0 |
| 73 | +pBYU9iCozLgamM4er9Efb+XzfLvNVKuqyR0cgvGszukIPQYeX58DMrZ07C+E0wDZ |
| 74 | +bG+ZAYXT5GqsHkSVnMCVIfyJNLjR4sbVzykyVtnccBL6bP3jxbCP1jJdT7bwiKre |
| 75 | +1jQjvyoL0yIegdiN/oEdmx52Fqjt4NkQsp4sk625UBFTVISr22bnf60ZIGgrRbAP |
| 76 | +DU1XMdIrmqmhEEQcXMp4CeflDMksOmaIeAUkZY7eddnXMwQDJTnz5ziCal+1r0R3 |
| 77 | +dh0XISRG0NkiLEXeGkrs7Sn7BAAsTsaH/1zU6YbvoWlMlHYT6EarFQ== =sFGt |
| 78 | +-----END PUBLIC KEY BLOCK----- |
| 79 | +``` |
0 commit comments