Guidelines for reporting a security vulnerability:
Sophos runs a bug bounty program to reward researchers for their findings. If you believe you have discovered a vulnerability in a Sophos product, system or web-facing property, please submit a vulnerability report via bugcrowd.com/sophos. Please do not publicly disclose these details without contacting Sophos first, and without expressed prior written agreement from Sophos.
Sophos Disclosure Policy
As a security company, keeping our customers safe is Sophos’s primary concern. Sophos uses a Secure Development Lifecycle process to integrate security into its products from design, through development and release. However, sometimes vulnerabilities escape detection, or new exploits are released after the product is already on the market.
At Sophos we investigate all received vulnerability reports and implement the best course of action in order to protect our customers.
If you are a security researcher and have discovered a security vulnerability in our products, we appreciate your help in disclosing it to us in a responsible manner.
If you identify a verified vulnerability in compliance with Sophos’s Responsible Disclosure Policy, Sophos commits to:
- Provide prompt acknowledgement of receipt of your vulnerability report (within 48 business hours of submission)
- Work closely with you to understand the nature of the issue and work on timelines for fix/disclosure together
- Notify you when the vulnerability is resolved, so that it can be re-tested and confirmed as remediated
- Publicly acknowledge your responsible disclosure (if you wish credit for such disclosure)
If you feel that your identified issue or report falls outside the scope defined on bugcrowd.com/sophos, please contact us at security-alert@sophos.com. Our PGP key is available here.
Sophos supports responsible disclosure, and we take responsibility for disclosing product vulnerabilities to our customers. To encourage responsible disclosure, we ask that all researchers comply with the following Responsible Disclosure Guidelines:
- Allow Sophos an opportunity to correct a vulnerability within a reasonable time frame before publicly disclosing the identified issue, in order to ensure that Sophos has developed and thoroughly tested a patch and made it available to licensed customers at the time of disclosure.
- Make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of our services.
- Do not modify or destroy data that does not belong to you.
Responsible disclosure guidelines suggest that customers have an obligation to patch their systems as quickly as possible, and it is customary to expect patching to be completed within 30 days after release of a security patch or update. Sophos advises its customers that those who exploit security systems often do so by reverse engineering published security updates, and therefore encourages its customers to patch timely.
The Sophos senior management team has overall responsibility for this policy, and for reviewing the effectiveness of actions taken in response to concerns raised under this policy. Various officers of Sophos have day-to-day operational responsibility for this policy, and must ensure that all managers and other staff who may deal with concerns or investigations under this policy receive regular and appropriate training.
Sophos’ Chief Technology Officer and General Counsel reviews our Vulnerability Disclosure policy from a legal and operational perspective on a yearly basis.
Thanks for your help
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF2yw9sBEACwhU08ABReYROM5rZn04mKaH1i+8XMoREH0FaRLkADMfdJ0UHW
zrf8Vx10r213+PhqqfFnUz3wB/VnBUtPtIBJGU0LjY4C3kLXTrfmrgl+muWLfgVO
aBQwOpOsY6xZNdUmXZblEkFt+SQCZEe8eXGpV7NLSPu4d2Xwcg2vt3zfi4fJcBYo
gtq9gWxdIPevCk/wmdVj6y6Yk6RHPfT9/RH6ZlU9UJRe7WjFbj6KvTeyOtCHAkEB
q05w3iTsj95wVGDXPrAq1NcrJMA6h/esv0NqmrDknf6OpzTlb61mSRHsbvGPJxLb
64gJ5QjHMkC3blBgxxVZKZhM9JLj3cIYVwS5PxhuhO6bYtc16AYNy3tYs9ci/YK0
Njxs4OREO/1W5P6LWz1S9OAJGqtSyCEFYLPmCkQrsUr5ox/dObidq+S8ItjExc4R
8qBk4y12Gi3Bmhjby5jNvGz9PPf3NFTnaFg/F38pIu5istgtRy3wBZgRrjbSm6EM
SEvyLhZBugBH9X0DlRTLJVkbtqUzhlLJOhNGzYP3erlwl3h9gXq5rrH2LZ1NRNJO
uXwDOhMd2AB2pTai9duI/RHNajFuVUPo6gxVmf1JL+sqrmW0ctI8wkjmBkfSc/su
sHhgAqj/YsGcL2zZiE0X4rkInmEzE/35innglFxNEPRPsRuET38Qkf6QawARAQAB
tBlzZWN1cml0eS1hbGVydEBzb3Bob3MuY29tiQJUBBMBCAA+FiEEMRS1zkcQP/Pw
e1gxnTobkH7Ft00FAl2yw9sCGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgEC
F4AACgkQnTobkH7Ft02ZBQ//dMgrhSJx1luj2EU2V6lBsdnKrt3mc4/AXPgUNjAC
yUn980pvyg0nHuUHBepjeUiiU55rOF82KVbd91v65moP8l9kD3kBi1zVoe3A5aAA
tLreR9Gx5K+309wX/qFtNs1v4KvHEtNhxuN26jowMOCdawVclSAV7sXpq+df4xId
gIDZTDkGbaOiXyy/lw+JX0KI7LGzsO71NlqdcpsVAB/Rrfjzbq8a54IP19R6hdev
bzZroEiw4kDw+tCXtqKdC9NbyEvO/bz1/cqkJArOvCt0nO+m6jboERGz0h7gizsX
X1B6OnZxOeL8IVUPU2oJ5Nh76Kq3gXpdscoSsCD9zbwNeHRbx6mVXmeT8mWi2zkx
0fMIJTp2NK9MrLQHPVoAvq2kxWBECFGcIuIjNxDqzFgOfuoWoeA0LtGefBeAfK0U
Y9n/RrB+EpHNSXSph7Uc9dPWZQsCXdR+dwcN60SBg3+2IObZNSliQ8GnXbyujU2o
zLcDhI1kmxxvp6DGZAnYFaScJWTlDpwmvOdzAadeshePqT72MKe6krsr8l7cX1Uk
o7CZ5h97cBthESXdmVf3geHg/pPlHz0sYgTDRog4O6suwyy6Bz8f/KYRfbG7dkul
gQmbwGGsxVkhftTQ/AbpukJVz3s92cpE+ofAHtMttka+RoghsmJxAwO8PgVY/8CL
+oW5Ag0EXbLD2wEQAPHOJMSX7YKNywYiZ8SFuwzu4HoP4D9/+sxgXI0bwy+SZeSV
v5S2xTsEMEj4pT/NjtlsTLMELSC/464x4eJlbCu0lfcySCljipjUCa4/qqrYk/ju
WmPVfgp7WSQSCeppN9GOTgIarFD8kk6unoors5P5C/1/3ZTxtchgaU7JYLpQxzow
UgvodXtAk3W2vOy/+fyKQUDGwv6suoxPJVYviVz6BybEua0iYSCQdAaiWa+6oFXP
zrbtm/4xPTTAas7y/4XbDQxjGMIpn7I4P203YW6L7Za9v4dF7DKJYJG4/TJz2Jy+
2VKqNsMDRU7KrjymsEhpTGeb55PaZxyVCtobL8WGORnYRvDsQRR11hKKvWHb1BA/
grA9PVKra2xfOZ3RHGspqSoUv9gyXaf+XDI45Q5HdOgvsTFR7L7C69OIj1hFBBjf
6+2ja2K0R6+MJ4bnJtPeX3SxX9pUWWnli41FKTCd+Lhly+zazLTgwsNuqZzNKwuc
2Jlt4RZZ32wEW/SYdPLdH7Y9LPW6U8UxtTTVgW+g00aeOVpG/GM9dw2VUTdWjfBx
WvUs7YjkzhO2epxUbNye8AUd5qV45PFnr1+CdKQSvZJoOB1ribFi9RwjNc9rAL9z
2qhhoywxabFfJY1o9zpbUQTCltlftXG/sCKwHpScu55GX3EyUjBT1LRxdnmpABEB
AAGJAjwEGAEIACYWIQQxFLXORxA/8/B7WDGdOhuQfsW3TQUCXbLD2wIbDAUJA8Jn
AAAKCRCdOhuQfsW3TW1dD/4zAPMoQ3heo/N6a97sD01ZjZAp/4D9/m3bnNeIhx4q
zA8Yvc5XWocRMjBk3fa+514BtjzCt9xnwL4SmFUQT1DRBYHZPAKcjZ/J3uixWLy1
DqdEHKSJOe+eYPs/s+aVzSguHsq8+XHV+d7wpnptsx9325SnmSO4/eq1zfyjr/3Y
zd9o8hNNDtq0kMxwU3aghE1A2HkD3ghCu1zkho7DczCCiToZa3KYNi43L6wjlVVE
BrCMi8ajs514qiQJeiBh+XpMqsBwBvADaIhdU/6zb44N34k7uE/Is3TFLFBqYYib
0Lex+P6FRSetNpC//7HbpDSuSbPwFTg7WCN1BDzx0tlXyVf69wMk3SYEl2gTZ2RP
fQ2XioNDZXaAfeQrtZ9Hue+H6XCoVxo4AAlUWG+8thh+W+ZdVYz5AbyfkyWxCVtp
NMaWrD3LmuKTFQ+s8aOEnVHtiQ5j+puN84WqB+quuPg7ZfBt6ubRKDIbB31LBU9u
j9T0bgGht1EMEwkXyknkvcWV4k+HCgKV5WH8M4phuDt0GKU925swSJetNJvoairy
A8wV87oKbEpWYNw2TL2f7mPpL0eDsJv/09ETfvWVmqysB4oQFkvwDQmq3SxJ4bLd
l4VBBpq7XwRl0Bjoc4PlwzUB34zY5mj+uvETnI9w5oxwRvoBWVMbwcctF2dAd3yS
yA==
=ILbm
-----END PGP PUBLIC KEY BLOCK-----