As a security company, keeping our customers safe is our primary concern. At Sophos we investigate all vulnerability reports and implement the best course of action in order to protect our customers. We believe in working closely with the research community, and give credit to finders who follow responsible disclosure.
All Sophos products are created with security in mind, security from attacks against the systems we are protecting, and attacks on our software itself. Additionally some of our products are EAL4 and common criteria certified. However, sometimes vulnerabilities escape detection, or new exploits are released after the product is already on the market.
Sophos supports responsible disclosure, and we take responsibility for disclosing product vulnerabilities to our customers.
- We believe that vulnerabilities should only be announced once a solution is available to customers.
- Although fixing vulnerabilities when identified is our highest priority, releasing an update to any of our products does require time. Each vulnerability needs to be assessed, a fix needs to be developed, and then it must be tested to ensure it does not introduce new problems.
Sophos strongly recommends that customers keep their systems patched and up-to-date. From the moment a patch is released attackers will try and reverse engineer it to find the vulnerability and attack un-patched systems.
If you discover a vulnerability in a Sophos product, please contact us by email at
Please make sure you include the following information in your email, and use the encryption key posted below. :
- Your name
- Your job title
- Your organization/company name
- PGP key link - Please apply the PGP key which is in this attached text file 56657.txt to your email.
If possible, please write your email in English, especially the summary of the problem. We can process emails and submitted files in other formats and in non-English languages, however, this may cause some delay due to translation.