|Scope Type||Scope Name|
|other||Invincea X NextGen Anti-Virus|
Out of Scope
|Scope Type||Scope Name|
|web_application||*.Sandboxie.com (including downloadable product)|
|web_application||*.spotflux.com (including downloadable product)|
See the _Rewards and Out-of-Scope section section for more details._
*.sophos.com( excluding 3rd party software, sites and services ).
At Sophos, we understand the effort that goes into security research. To show our appreciation to researchers who help keep our products and our customers safe, we are glad to introduce a Responsible Disclosure Program to provide recognition and rewards for responsibly disclosed vulnerabilities.
Sophos rewards the confidential disclosure of any identified and confirmed security vulnerability that could be used to compromise the confidentiality or integrity of our Sophos or users' data (such as by bypassing our authentication or authorization process, privilege escalation, or instigating action on another user's behalf). Kudos rewards and recognition in the Sophos Security Hall of Fame may be provided for the disclosure of qualifying bugs, depending on severity and creativity of identified issues. Sophos may also award company swag for qualifying issues. Additionally, please see the "Monetary Rewards" section below for details on monetized vulnerability reports.
The scope of this program is limited to technical security vulnerabilities in
Sophos owned websites, applications, products, and software. Additionally,
in general no credentials or product keys will be provided for this program -
all testing is to be performed using self-provisioned credentials against
legally obtained Sophos products (including free trials). See the section
Credentials for more details.
For a more detailed description of our scope for endpoint software, see the section Special Targets for details.
This program largely adheres to the Bugcrowd Vulnerability Rating Taxonomy for the rating/prioritization of findings.
We do however NOT accept SPF/DKIM/DMARC issues at this point in time.
Target name | Type
*.sophos.com | Other
*.cyberoam.com | Website
*.astaro.com | Website
*.who-is-using-me.com | Other
*.astaro.at | Other
*.astaro.ch | Other
*.astaro.de | Other
*.astaro.info | Other
*.astaro.net | Other
*.astaro.org | Other
*.astaro-tech.com | Other
astaro.uservoice.com | Other
*.fw-notify.net | Other
*.myastaro.com | Other
*.reflexion.net | Other
*.mojave.net | Other
*.surfright.nl | Other
*.hitmanpro.com | Other
*.hitmanpro.nl | Other
Invincea X NextGen Anti-Virus | Other
dev.phishthreat.com | Website
Target name | Type
*.astaroedu.com | Other
*.astaro-security.com | Other
*.Sandboxie.com (including downloadable product) | Website
*.spotflux.com (including downloadable product) | Website
*.releaseportal.cyberoam.com | Website
*.ddns.cyberoam.com | Website
*eventreg.sophos.com | Website
surveys.sophos.com | Website
app.reflexion.net | Website
tickets.reflexion.net | Website
autodiscover.hitmanpro.com | Other
lyncdiscover.hitmanpro.com | Other
sip.hitmanpro.com | Other
support.hitmanpro.com | Other
shop.hitmanpro.com | Other
mev.hitmanpro.com | Website
Verifiable evidence the vulnerability exists (screenshot/video/script) is required to receive recognition or an award for reported vulnerabilities.
For more technically elaborate vulnerabilities, reproduction steps are required. Rewards or recognition will not be awarded If our security team cannot reproduce and verify an issue. When researching a bug, please also use test accounts (and systems where appropriate) such that security and privacy of real users are not affected.
As a researcher, you are only considered eligible for a reward if you're the first person reporting it to Sophos. We commit to having 48 business hours to respond to the report, and up to 90 days to implement a fix based on the severity of the report. Note that posting details or conversations about this report before it has been approved for disclosure or posting details that reflect poorly on this program or the Sophos brand will result in forfeiture of any award and/or immediate removal from the program.
DO NOT use the output from automated scanners and tools as your entire
DO provide a description of the nature and impact of the issue in your vulnerability report
Current employees or contractors of a Sophos Group entity are not eligible to
participate in the program.
Former employees and contractors are eligible to participate in the program only if (i) they have left the Sophos Group entity more than 1 year prior to submission and (ii) they are not making use of or referring to any non-public Sophos information obtained when they were an employee or contractor.
Qualifying bugs will be rewarded via Kudos based on severity, to be determined by Sophos security team. Rewards may range from Kudos to Sophos-branded swag. Awards are granted entirely at the discretion of Sophos.
updated: November 15, 2018
Monetary rewards are applicable to the following targets ONLY (please note the Out-of-Scope section for this program).
*.sophos.com ( excluding 3rd party software, sites and services )
Priority | Amount
P1 | $1,500 - $3,000
P2 | Kudos
P3 | Kudos
P4 | Kudos
All other targets are rewarded with kudos ONLY. The priority of submissions will be assigned according to the Bugcrowd Vulnerability Rating Taxonomy.
At Sophos discretion, providing a complete research, proof-of-concept code, and detailed documentation may incur a bonus percentage on the bounty awarded. Conversely, Sophos reserves the right to reduce the paid bounty for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible, or misstated.
For testing services and products that require credentials, please create an
account on your own using your
@bugcrowdninja.com email address. Your
bugcrowdninja email address is your username
emails will go to the email address associated with your account.
If for some reason your IP address or account are banned during your research
activity please contact us at
email@example.com and we'll restore your
Sophos offers a broad range of Endpoint protection products on multiple
platforms (Windows, Mac, Linux, Android, iOS, etc.), including (but not
limited to) Anti-Virus and Exploit Prevention, Since we strive to make our
products as secure as possible, we would like all your reports regarding any
security issues relating to our Endpoint protection products.
We are particularly interested in:
To obtain credentials for the
dev.phishthreat.com target, please email
firstname.lastname@example.org with your Bugcrowd username.
Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public without explicit consent from Sophos.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.