Responsible disclosure
At Sophos, we investigate all vulnerability reports and implement the best course of action to protect our customers.

If you believe you have identified a security issue that may be a vulnerability in a Sophos product, please contact our security team via one of the methods below:
- Preferred: Submit a report through our Bug Bounty Programme; or
- Email security-alert@sophos.com. For confidentiality, an authorised individual will respond with a public PGP key.
Only vulnerabilities submitted through our Bug Bounty Programme are eligible to receive a bounty payment.