Sophos

Update: Monetary Rewards

See the Rewards and Out-of-Scope section section for more details.

• As of November 15th, 2018, this program now offers monetary rewards for "Critical" (P1) submissions on the target: *.sophos.com (excluding 3rd party software, sites and services).
• As of September 25, 2018, this program now offers monetary rewards for "Critical" (P1) submissions on the target: *.hitmanpro.com.
• As of May 30, 2018, this program now offers monetary rewards for "Critical" (P1) submissions on the target: *.reflexion.net.
• As of February 13, 2018, this program now offers monetary rewards for "Critical" (P1) submissions on the target: *.astaro.com.
• As of December 14, 2017, this program now offers monetary rewards for "Critical" (P1) submissions on the target: *.cyberoam.com.

Program Overview

At Sophos, we understand the effort that goes into security research. To show our appreciation to researchers who help keep our products and our customers safe, we are glad to introduce a Responsible Disclosure Program to provide recognition and rewards for responsibly disclosed vulnerabilities.

Sophos rewards the responsible disclosure of any identified and confirmed security vulnerability that could be used to compromise the confidentiality or integrity of our Sophos or users' data (such as by bypassing our authentication or authorization process, privilege escalation, or instigating action on another user's behalf). Kudos rewards and recognition in the Sophos Security Hall of Fame may be provided for the disclosure of qualifying bugs, depending on severity and creativity of identified issues. Sophos may also award company swag for qualifying issues. Additionally, please see the "Monetary Rewards" section below for details on monetized vulnerability reports.

The scope of this program is limited to technical security vulnerabilities in Sophos owned websites, applications, products, and software. Additionally, in general no credentials or product keys will be provided for this program - all testing is to be performed using self-provisioned credentials against legally obtained Sophos products (including free trials). See the section Credentials for more details.
For a more detailed description of our scope for endpoint software, see the section Special Targets for details.

This program largely adheres to the Bugcrowd Vulnerability Rating Taxonomy for the rating/prioritization of findings.

We do however NOT accept SPF/DKIM/DMARC issues at this point in time.

Reporting

Verifiable evidence the vulnerability exists (screenshot/video/script) is required to receive recognition or an award for reported vulnerabilities.

For more technically elaborate vulnerabilities, reproduction steps are required. Rewards or recognition will not be awarded If our security team cannot reproduce and verify an issue. When researching a bug, please also use test accounts (and systems where appropriate) such that security and privacy of real users are not affected.

Reward Eligibility

As a researcher, you are only considered eligible for a reward if you're the first person reporting it to Sophos. We commit to having 48 business hours to respond to the report, and up to 90 days to implement a fix based on the severity of the report. Note that posting details or conversations about this report before it has been approved for disclosure or posting details that reflect poorly on this program or the Sophos brand will result in forfeiture of any award and/or immediate removal from the program.

DO NOT use the output from automated scanners and tools as your entire vulnerability report
DO provide a description of the nature and impact of the issue in your vulnerability report

Current/former employees/contractors

Current employees or contractors of a Sophos Group entity are not eligible to participate in the program.
Former employees and contractors are eligible to participate in the program only if (i) they have left the Sophos Group entity more than 1 year prior to submission and (ii) they are not making use of or referring to any non-public Sophos information obtained when they were an employee or contractor.

Rewards

Qualifying bugs will be rewarded via Kudos based on severity, to be determined by Sophos security team. Rewards may range from Kudos to Sophos-branded swag. Awards are granted entirely at the discretion of Sophos.

Monetary Rewards

updated: November 15, 2018
Monetary rewards are applicable to the following targets ONLY (please note the Out-of-Scope section for this program).
- *.sophos.com (excluding 3rd party software, sites and services)
- *.cyberoam.com
- *.astaro.com
- *.reflexion.net
- *.hitmanpro.com

Priority	Amount
P1	$1,500 - $3,000
P2	Kudos
P3	Kudos
P4	Kudos

All other targets are rewarded with kudos ONLY. The priority of submissions will be assigned according to the Bugcrowd Vulnerability Rating Taxonomy.

At Sophos discretion, providing a complete research, proof-of-concept code, and detailed documentation may incur a bonus percentage on the bounty awarded. Conversely, Sophos reserves the right to reduce the paid bounty for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible, or misstated.

Responsible Disclosure

Sophos supports responsible disclosure, and we take responsibility for disclosing product vulnerabilities to our customers. To encourage responsible disclosure, we ask that all researchers comply with the following Responsible Disclosure Guidelines:

• Allow Sophos an opportunity to correct a vulnerability within a reasonable time frame before publicly disclosing the identified issue, in order to ensure that Sophos has developed and thoroughly tested a patch and made it available to licensed customers at the time of disclosure.
• Make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of our services.
• Do not modify or destroy data that does not belong to you.

For the full responsible disclosure policy, please refer to the Sophos Responsible Disclosure Policy.

Credentials

For testing services and products that require credentials, please create an account on your own using your @bugcrowdninja.com email address. Your bugcrowdninja email address is your username @bugcrowdninja.com. All emails will go to the email address associated with your account.

If for some reason your IP address or account are banned during your research activity please contact us at bugbounty@sophos.com and we'll restore your access ASAP.

Special targets

Sophos XG Firewall

Sophos is happy to announce a focused reward schema for a limited time on XG Firewall.

Until further notice, we will increase the payouts for specific P1 findings up to US$10,000.

Findings eligible for the highest payout are/come with:

• Attack Vector: Network (WAN interface only)
• Attack Complexity: Low (no MitM etc.)
• Privileges Required: None (pre-auth only)
• User Interaction: None (no phishing, etc.)
• Impact: Code/command execution as root (CVSSv3+ C:H/I:H/A:H)
• Reproducible on the latest maintenance release of either v17.5 or v18.0, as published on MySophos
  • Findings on versions older than v17.5 or the latest MR are not eligible
• Detailed version information:
  • Login to the Device Console
  • At the console> prompt type: “system dia sh ver”
  • Add the output to the report (screenshots accepted)
• PoC code or step by step reproduction instructions
  • May be in the form of a video
• Tools used to detect the issue, if any
• Information on what helped discover the issue most:
  • Root shell access
  • Reverse engineering (decompiled JARs)
  • Previously published CVE (incl. CVE ID)
  • Other (please elaborate) *Source code file and line of the issue, if possible

All testing can be done with free trial versions of the product on any available platform (software/virtual/hardware).

IMPORTANT. All research should be done on fresh trial versions and when signing up for the trail, ensure your email has bugcrowdninja in the address. For example, tom+bugcrowdninja@gmail.com or bill@bugcrowdninja.com

Eligible findings are reproducible on fully patched v17.5 or v18.0 installations of XG Firewall (see https://community.sophos.com/kb/en-us/135415 for details). Sophos will not reward issues no longer reproducible.

Sophos Endpoint Products

Sophos offers a broad range of Endpoint protection products on multiple platforms (Windows, Mac, Linux, Android, iOS, etc.), including (but not limited to) Anti-Virus and Exploit Prevention, Since we strive to make our products as secure as possible, we would like all your reports regarding any security issues relating to our Endpoint protection products.
We are particularly interested in:

• Privilege escalation via Sophos products, including (but not limited to):
  • Unauthorized disabling of components, services, or features (including crashes, hangs, etc.)
  • Weak architecture (including the resulting inability to address a class of issues, ...)
• Disclosure of information (e.g. unauthorized access of other users files etc.)
• File parsing and/or scanning-related crashes, hangs, memory-corruption, etc.
• Bypassing exploit prevention technologies (if present in a product) *For example innovative mechanisms for injecting code into other processes, leading to privilege escalation You will be rewarded at the discretion of Sophos in relation to the general payout, depending on the severity of the issue and impact to customer installations. False negatives (undetected malware) are excluded from the Bounty program. However, we encourage you to submit any false negatives via https://secure2.sophos.com/en-us/support/submit-a-sample.aspx or email samples@sophos.com.

dev.phishthreat.com

To obtain credentials for the dev.phishthreat.com target, please email phishthreatbounty@gmail.com with your Bugcrowd username.

Sophos Disclosure Guidelines

Sophos supports responsible disclosure, and we take responsibility for disclosing product vulnerabilities to our customers. To encourage responsible disclosure, we ask that all researchers comply with the Sophos Responsible Disclosure Policy.