Guidelines for reporting a security vulnerability:
Sophos runs a bug bounty program to reward researchers for their findings. If you believe you have discovered a vulnerability in a Sophos product, system or web-facing property, please submit a vulnerability report via bugcrowd.com/sophos. Please do not publicly disclose these details without contacting Sophos first, and without expressed prior written agreement from Sophos.
Sophos Disclosure Policy
As a security company, keeping our customers safe is Sophos’s primary concern. Sophos uses a Secure Development Lifecycle process to integrate security into its products from design, through development and release. However, sometimes vulnerabilities escape detection, or new exploits are released after the product is already on the market.
At Sophos we investigate all received vulnerability reports and implement the best course of action in order to protect our customers.
If you are a security researcher and have discovered a security vulnerability in our products, we appreciate your help in disclosing it to us in a responsible manner.
If you identify a verified vulnerability in compliance with Sophos’s Responsible Disclosure Policy, Sophos commits to:
- Provide prompt acknowledgement of receipt of your vulnerability report (within 48 business hours of submission)
- Work closely with you to understand the nature of the issue and work on timelines for fix/disclosure together
- Notify you when the vulnerability is resolved, so that it can be re-tested and confirmed as remediated
- Publicly acknowledge your responsible disclosure (if you wish credit for such disclosure)
If you feel that your identified issue or report falls outside the scope defined on bugcrowd.com/sophos, please contact us at security-alert@sophos.com. Our PGP key is available here.
Sophos supports responsible disclosure, and we take responsibility for disclosing product vulnerabilities to our customers. To encourage responsible disclosure, we ask that all researchers comply with the following Responsible Disclosure Guidelines:
- Allow Sophos an opportunity to correct a vulnerability within a reasonable time frame before publicly disclosing the identified issue, in order to ensure that Sophos has developed and thoroughly tested a patch and made it available to licensed customers at the time of disclosure.
- Make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of our services.
- Do not modify or destroy data that does not belong to you.
Responsible disclosure guidelines suggest that customers have an obligation to patch their systems as quickly as possible, and it is customary to expect patching to be completed within 30 days after release of a security patch or update. Sophos advises its customers that those who exploit security systems often do so by reverse engineering published security updates, and therefore encourages its customers to patch timely.
The Sophos senior management team has overall responsibility for this policy, and for reviewing the effectiveness of actions taken in response to concerns raised under this policy. Various officers of Sophos have day-to-day operational responsibility for this policy, and must ensure that all managers and other staff who may deal with concerns or investigations under this policy receive regular and appropriate training.
Sophos’ Chief Technology Officer and General Counsel reviews our Vulnerability Disclosure policy from a legal and operational perspective on a yearly basis.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGFpfz8BEAC/4+St4fvTPrKDDbBsrd7KzSEX1TVLzGtGMiDMgtZMbP7nU/DY cvSX36TrVu4oPdck3kGHtVMIwEMSeILTBh2opWR4YO7X8AELShwgoyiiemOLxRuR Tg9WIBBTSfVTS+h0UW1XGqKw9enmGmUctaQHFOzSk9YoXPm3fPzMToIjAsZFGeyS m+sZ3cqEUoHIqLON8w2gmeiyRWhz/awkMEdwKRJacspIWFaItrj3RqzbyzcTQIJ/ rZxsW8JOXbPXEti5SVmEdrUTEPVFZ8F8pQN2i4A4WTVwCj4VuUZb0fuWhqQ78ZIg zL03xYy4bQW8OtG9cvL67u4j38rg32ApSnvqJ30HTbpdFZbv5USUBaZ27s5droqE FfIRbHcsYhKTXvaw+ubkPeOGxypx2UZSBV/sg1FMdmGWi0n+hV46238mf8r6nMAl GHiq44Sei3sm9Mte3zQYbzi51wJofWDDELytEq6VCfVwNYRdbQdUe48heQKADCIE dx55xnr08oBveCbvuj0g3PX+hzD1L3iElIpQbdObUQ2oogAhwvJQ5HguoFgF31Xb QcQrllAmXssg1eOSvsSz2ZlDiHNuhemE1BhommLwvQ1AOL7DjlM6vquG/7QA42FU za+zFGFWgIwEM2s90A6UUwxGs0nppk6R4ocXr/3oB1CsIGyg4iSJHj1sPwARAQAB tBlzZWN1cml0eS1hbGVydEBzb3Bob3MuY29tiQJUBBMBCAA+FiEEITV1npiLYm80 1e9fuMPkR7Ux52QFAmFpfz8CGwMFCQHhM4AFCwkIBwIGFQgJCgsCBBYCAwECHgEC F4AACgkQuMPkR7Ux52SlMw/+MQNYuuks4MxcgBzfoZSBfiBYYo1hiai6At/loskN rXKxIjbKyFciF/1NPM/Ht/M3sGd98Jz7+f+H84OmtvNdcWiivp75KYbY6evXCGEj Bz9Us9gnZjTjZp5JE5H9Ygp88K29pkCgaPVQGn7emN601d2tkmV08fqZltewWHXg XE6VWUk6LsDP1vw3FP+W7BLwgwk0VoZinAS5WORNWwfjnH6CdFQC6qgDYHhgCLR1 huitjKIs5GhKd67h8ILd5Z0eY3UV7wiITL+8eeaWJqgUcX0TFQyfg32Wq1Hcs0Kv elnimftgnnBZWmWLoineSl4PvsZajjOevGh6WUCcVxPIuPTWZ+8p1Li2rYIYqDEL jCdtPb5/ALKiPljrDUPW5QN3+VfpR2lc3hv6iP+VofVegoMpBi7QbL2m1ttNJ2ZQ 0E7ooyQmlpU+FJX0NEYGBeGEeXy3fICEUNnuyAsPGGVksQsRcCFvVpDgUhLfsml/ c7m9PXZUP+wPtOd/nDvMRKDIKkx4KqXBdsWDrSGdV1j4o/hBsyOAsD0BhBf+NwYj viZFUhsojbd8aNzO/+wmZjyR6nbX+M/Y06ieKR95yaCA2fiB5vLoMTuZOHTPXg/2 8KNcQuIbTk2yAVKbuYr32/PkzfkskUyrlGFyQaU0Eh3B8HCK6JUyNXuHxa0SxSBG NBq5Ag0EYWl/PwEQAN9FfPHWfFfTuzX7JRnvPH+Wc6Dhb3HbJi3G1D8Fm4DaQ3vm 2oizoPGBU463AyCqSDldjaMxwcXyMYW0ZNPSLDMngBoHb+ZbNfDbUNBZyQlzvWiK G3qx9u9LTUbGprBbDOdAXUh1j5+pbZR07bBOuF2rspXstgtFFEI+Y91jDJmvWKh8 Neox9yD1Wf8epBxWJIl+Wkvh7WOTiJKSt4OPO2Ac6wC9V9UQnGBBtHpeJaIEI+Fs GDnVcwOnDljS7MWc0hhuYSXr4gwlnmSTAdzi+QyQnFJRKUGjFFx5SpAydWfgmCWQ rBeg/zoM+no9rPcvBdcdYa9aUEwhBQb3B+L2uuwNtsUY995pQ81ssgguvzEbafvM EUGG+LPhCuFhFsukvhmUpz5ro/I498MpH+k7nnm2GGuYH3zsvqh6xjWG/Kxda7ar CmHINcXQYqqQtUx6bcfKNRaqOCCpP0DqAvsS67jekTUlHH+/N4DHOrxRkPrtb9IX i9zlT2jnHoO+rLv32UuxCYjMvr9PD8qHf1bJ9O1L7lPHMcMdutBaHqCRCJR8g9QA kAtqPM1pvSO2t4qcm5uqApMn+SXPtNNDO/Rjwd0l25uT5fgO0U6Ci6sz7aiu/fmT WfzxCQTpO/cyai+HJN/0LU7Hgx35vIV+3s/Hw7Fwmpv37QIG0v3lrmL1vFlDABEB AAGJAjwEGAEIACYWIQQhNXWemItibzTV71+4w+RHtTHnZAUCYWl/PwIbDAUJAeEz gAAKCRC4w+RHtTHnZN+MEACinBoXXVf3gYuYBEFY9t8w3NOATMpu3K67X+9sL4X2 MKdqupprj23OJvmAE/vKvEc7ueqiPQohW/dxngQ9bl4xhERZBP8XzGs1N1DgJ9l8 7oY5nde7qBtkNRQqKwtBQry/0F074dEvcBDglnJUbp/d3yiCIsqYNgVqWhkMHqmS WKE0ZiVHiSkA0MrpX0boM23VQq3ppud+38X5X13hyTEFBLIiQFptc1t8uhZLDiyb Jciv9WF7+W04frh19kCfiSW8AGt+iLF81FISTMZzN5CFGthic4eluUnm3S8qpT4/ 3yLebzL01qAI3DHElVREyHzekx/uSLgSHkYR5cAZgxPSNkIrq53s/H5ugW3XclIm 88mX5CCRy1WdturOuZzOI6OpIre93JT5yY7mwZLuZPcyKIkWQq03QHTrOXXm9keB 3GNaBfZ8+GWlQb18HacdDbkyVWKtrvnKQ4t7WfAwLk/OplI844Gr1TysU+XvRbBm ktaDQCWplsd58Ne2o/jHiymvi4oBA2UphgIt8mesErMQ8lDePvZHhsAPdix6dbuc esQdWn403+3kShedixzRctyRA1N8yTnH4xrEIAcVOeXbCMeW0AJR4eDH7o6SihM1 E+ZuD+eo0V1LGW2zudpysW0Mt3NTHHchPUHuwTsdnllIMuwPA7zCX6HhKPN5NTUA
Aw==
=Ksor
-----END PGP PUBLIC KEY BLOCK-----