Sophos Responsible Disclosure Policy

As a security company, keeping our customers safe is Sophos’s primary concern. Sophos is a member of the Cloud Security Alliance. All Sophos products are created with security in mind, security from attacks against the systems we are protecting, and attacks on our software itself. Sophos also uses a Secure Development Lifecycle to bake security into its products from design through development and release. However, sometimes vulnerabilities escape detection, or new exploits are released after the product is already on the market.

At Sophos we investigate all vulnerability reports and implement the best course of action in order to protect our customers.

If you are a security researcher and have discovered a security vulnerability in our products, we appreciate your help in disclosing it to us in a responsible manner.

If you identify a verified vulnerability in compliance with Sophos’s Responsible Disclosure Policy, Sophos commits to:

  • Provide prompt acknowledgement of receipt of your vulnerability report (within 48 business hours of submission)
  • Work closely with you to understand the nature of the issue and work on timelines for fix/disclosure together
  • Notify you when the vulnerability is resolved
  • Publicly acknowledge your responsible disclosure (if you wish credit for such disclosure)

In Scope:

  • All vulnerabilities in Sophos products and online resources except those defined as Out of Scope

Out Of Scope

  • Resource exhaustion attacks against Sophos online products and services.

Sophos supports responsible disclosure, and we take responsibility for disclosing product vulnerabilities to our customers. We ask the security research community to give us an opportunity to correct a vulnerability within a reasonable time frame before publicly disclosing same, in order to ensure that Sophos has developed and thoroughly tested a patch and made it available to licensed customers at the time of disclosure.

Responsible disclosure guidelines suggest that customers have an obligation to patch their systems as quickly as possible, and it is customary to expect patching to be completed within 30 days after release of a security patch or update. Sophos advises its customers that those who exploit security systems often do so by reverse engineering published security updates and therefore encourages its customers to patch promptly.

Working together as a security community, we can ensure the best possible security for everyone.

Guidelines for reporting a security vulnerability:

If you believe you have discovered a vulnerability in a Sophos product, please provide details to security-alert@sophos.com. Please do not publicly disclose these details without express written agreement from Sophos.

IMPORTANT: when reporting any suspected vulnerabilities, please include the following information in your email, and use the encryption key posted below:

  • Vulnerability details with information to allow us to efficiently reproduce your steps, screenshots, and compressed screen captures are all helpful to us). Please do not include personally identifiable information.
  • Product Name and Version
  • PGP key link - Please apply the PGP key which is in this attached text file 56657.txt to your email.
  • Your name (as you would like it displayed in an acknowledgement as a responsible discloser of a security vulnerability, in the event you would like such recognition), your job title; organization/company name, and country
  • Express consent for Sophos to acknowledge you publicly as a responsible disclosure of a security vulnerability, or notice that you do not wish Sophos to publicly acknowledge your submission.

If possible, please write your email in English, especially the summary of the problem. Sophos is able to process emails and submitted files in other formats and in non-English languages, however, this may cause some delay due to translation.

The Sophos senior management team has overall responsibility for this policy, and for reviewing the effectiveness of actions taken in response to concerns raised under this policy. Various officers of Sophos have day-to-day operational responsibility for this policy, and must ensure that all managers and other staff who may deal with concerns or investigations under this policy receive regular and appropriate training.

Sophos’s Chief Technology Officer and General Counsel will review this policy from a legal and operational perspective at least once a year.