• $100 – $50,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 1214
  • Validation within 6 days 75% of submissions are accepted or rejected within 6 days
  • Average payout $750 within the last 3 months

Latest hall of famers

Recently joined this program

2274 total

Program Overview

At Sophos, we understand the effort that goes into security research. To show our appreciation to researchers, who help keep our products and our customers safe, we are glad to introduce a Responsible Disclosure Program to provide recognition and rewards for responsibly disclosed vulnerabilities.

Sophos rewards the responsible disclosure of any identified and confirmed security vulnerability that could be used to compromise the confidentiality, integrity, or availability of Sophos products, as well as services and infrastructure impacting Sophos' or users' data.

In general no credentials or product keys will be provided for this program - all testing is to be performed using self-provisioned credentials against legally obtained Sophos products, including free trials. See the section Credentials for more details.

The severity of submissions will be determined using CVSSv3.1 according to Sophos' internal standard.

Scope and rewards

Program rules

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.