Sophos

Responsible disclosure with rewards up to US$50.000

  • $100 – $50,000 per vulnerability
  • Up to $20,000 maximum reward
  • Safe harbor
Submit report

Program stats

  • Vulnerabilities rewarded 1108
  • Validation within 11 days 75% of submissions are accepted or rejected within 11 days
  • Average payout $1,120 within the last 3 months

Latest hall of famers

View all 807

Recently joined this program

2088 total

Program Overview

At Sophos, we understand the effort that goes into security research. To show our appreciation to researchers, who help keep our products and our customers safe, we are glad to introduce a Responsible Disclosure Program to provide recognition and rewards for responsibly disclosed vulnerabilities.

Sophos rewards the responsible disclosure of any identified and confirmed security vulnerability that could be used to compromise the confidentiality, integrity, or availability of Sophos products, as well as services and infrastructure impacting Sophos' or users' data.

In general no credentials or product keys will be provided for this program - all testing is to be performed using self-provisioned credentials against legally obtained Sophos products, including free trials. See the section Credentials for more details.

The severity of submissions will be determined using CVSSv3.1 according to Sophos' internal standard.

Scope and rewards

Program rules

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.