First check important advisories of known security vulnerabilities in Sonatype products to see if this has been previously reported.

Duplicate reports for the same vulnerability will be deleted.

Sonatype utilizes the HackerOne platform for the Bug Bounty Program. If you do not have an HackerOne account, please send an email to security@sonatype.com to receive an invitation.

See https://www.sonatype.com/report-a-security-vulnerability.

Prior to reporting, please review the program's policy for SLAs, program rules, in and out of scope vulnerabilities/applications, and bounty eligibility.