Program Overview

At Sophos, we understand the effort that goes into security research. To show our appreciation to researchers who help keep our products and our customers safe, we are glad to introduce a Responsible Disclosure Program to provide recognition and rewards for responsibly disclosed vulnerabilities.

Sophos rewards the responsible disclosure of any identified and confirmed security vulnerability that could be used to compromise the confidentiality or integrity of our Sophos or users' data (such as by bypassing our authentication or authorization process, privilege escalation, or instigating action on another user's behalf). Kudos rewards and recognition in the Sophos Security Hall of Fame may be provided for the disclosure of qualifying bugs, depending on severity and creativity of identified issues. Sophos may also award company swag for qualifying issues. Additionally, please see the "Monetary Rewards" section below for details on monetized vulnerability reports.

The scope of this program is limited to technical security vulnerabilities in Sophos owned websites, applications, products, and software. Additionally, in general no credentials or product keys will be provided for this program - all testing is to be performed using self-provisioned credentials against legally obtained Sophos products (including free trials). See the section Credentials for more details.
For a more detailed description of our scope for endpoint software, see the section Special Targets for details.

This program largely adheres to the Bugcrowd Vulnerability Rating Taxonomy for the rating/prioritization of findings.

We do however NOT accept SPF/DKIM/DMARC issues at this point in time.

Scope and rewards

Program rules

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.