# Nancy

> First check [Important advisories of known security vulnerabilities in Sonatype products](https://support.sonatype.com/hc/en-us/sections/203012668-Security-Advisories) to see if this has been previous

---

# Source: https://github.com/sonatype-nexus-community/nancy

# Reporting Security Vulnerabilities

## When to report

First check [Important advisories of known security vulnerabilities in Sonatype products](https://support.sonatype.com/hc/en-us/sections/203012668-Security-Advisories) to see if this has been previously reported.

## How to report

Please email reports regarding security related issues you find to [security@sonatype.com](mailto:security@sonatype.com).

Use the public key provided by Sonatype to keep your message safe.

## What to include

Please use a descriptive subject line in your email report.

Include your name and/or affiliation.

Provide a detailed technical description of the vulnerability, attack scenario and where possible, how we can reproduce your findings.

Provide us with a secure way to respond.

## What to expect

Your email will be acknowledged within 1 - 2 business days, and you'll receive a more detailed response to your email within 7 business days.

We ask that everyone please follow responsible disclosure practices and allow time for us to release a fix prior to public release.

Once an issue is reported, Sonatype uses the following disclosure process:

1. When a report is received, we confirm the issue and determine its severity.
2. If third-party services or software require mitigation before publication, those projects will be notified.

## Contact Information

**Security Email:** [security@sonatype.com](mailto:security@sonatype.com)

**Advisory Information:** [Sonatype Security Advisories](https://support.sonatype.com/hc/en-us/sections/203012668-Security-Advisories)