- $100 – $50,000 per vulnerability
- Up to $20,000 maximum reward
At Sophos, we understand the effort that goes into security research. To show our appreciation to researchers, who help keep our products and our customers safe, we are glad to introduce a Responsible Disclosure Program to provide recognition and rewards for responsibly disclosed vulnerabilities.
Sophos rewards the responsible disclosure of any identified and confirmed security vulnerability that could be used to compromise the confidentiality, integrity, or availability of Sophos products, as well as services and infrastructure impacting Sophos' or users' data.
In general no credentials or product keys will be provided for this program - all testing is to be performed using self-provisioned credentials against legally obtained Sophos products, including free trials. See the section Credentials for more details.
The severity of submissions will be determined using CVSSv3.1 according to Sophos' internal standard.
Scope and rewards
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.