Sophos Responsible Disclosure Policy

Guidelines for reporting a security vulnerability:

Sophos runs a bug bounty program to reward researchers for their findings. If you believe you have discovered a vulnerability in a Sophos product, system or web-facing property, please submit a vulnerability report via bugcrowd.com/sophos. Please do not publicly disclose these details without contacting Sophos first, and without expressed prior written agreement from Sophos.

Sophos Disclosure Policy

As a security company, keeping our customers safe is Sophos’s primary concern. Sophos uses a Secure Development Lifecycle process to integrate security into its products from design, through development and release. However, sometimes vulnerabilities escape detection, or new exploits are released after the product is already on the market.

At Sophos we investigate all received vulnerability reports and implement the best course of action in order to protect our customers.

If you are a security researcher and have discovered a security vulnerability in our products, we appreciate your help in disclosing it to us in a responsible manner.

If you identify a verified vulnerability in compliance with Sophos’s Responsible Disclosure Policy, Sophos commits to:

• Provide prompt acknowledgement of receipt of your vulnerability report (within 48 business hours of submission)
• Work closely with you to understand the nature of the issue and work on timelines for fix/disclosure together
• Notify you when the vulnerability is resolved, so that it can be re-tested and confirmed as remediated
• Publicly acknowledge your responsible disclosure (if you wish credit for such disclosure)

If you feel that your identified issue or report falls outside the scope defined on bugcrowd.com/sophos, please contact us at security-alert@sophos.com. Our PGP key is available here.

Sophos supports responsible disclosure, and we take responsibility for disclosing product vulnerabilities to our customers. To encourage responsible disclosure, we ask that all researchers comply with the following Responsible Disclosure Guidelines:

• Allow Sophos an opportunity to correct a vulnerability within a reasonable time frame before publicly disclosing the identified issue, in order to ensure that Sophos has developed and thoroughly tested a patch and made it available to licensed customers at the time of disclosure.
• Make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of our services.
• Do not modify or destroy data that does not belong to you.

Responsible disclosure guidelines suggest that customers have an obligation to patch their systems as quickly as possible, and it is customary to expect patching to be completed within 30 days after release of a security patch or update. Sophos advises its customers that those who exploit security systems often do so by reverse engineering published security updates, and therefore encourages its customers to patch timely.

The Sophos senior management team has overall responsibility for this policy, and for reviewing the effectiveness of actions taken in response to concerns raised under this policy. Various officers of Sophos have day-to-day operational responsibility for this policy, and must ensure that all managers and other staff who may deal with concerns or investigations under this policy receive regular and appropriate training.

Sophos’ Chief Technology Officer and General Counsel reviews our Vulnerability Disclosure policy from a legal and operational perspective on a yearly basis.

Thanks for your help