At Sophos, we understand the effort that goes into security research. To show our appreciation to researchers who help keep our products and our customers safe, we are glad to introduce a Responsible Disclosure Program to provide recognition and rewards for responsibly disclosed vulnerabilities.
Sophos rewards the confidential disclosure of any identified and confirmed security vulnerability that could be used to compromise the confidentiality or integrity of our Sophos or users' data (such as by bypassing our authentication or authorization process, privilege escalation, or instigating action on another user's behalf). Kudos rewards and recognition in the Sophos Security Hall of Fame may be provided for the disclosure of qualifying bugs, depending on severity and creativity of identified issues. Sophos may also award company swag for qualifying issues.
We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Sophos, and we strive to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.
The scope of this program is limited to technical security vulnerabilities in Sophos owned applications, products and software. Additionally, no credentials or product keys will be provided for this program - all testing is to be performed using self-provisioned credentials against legally obtained Sophos products.
Verifiable evidence the vulnerability exists (screenshot/video/script) is required to receive recognition or an award for reported vulnerabilities.
For more technically elaborate vulnerabilities, reproduction steps are required. Rewards or recognition will not be awarded If our security team cannot reproduce and verify an issue. When researching a bug, please also use test accounts (and systems where appropriate) such that security and privacy of real users is not affected.
Reward eligibility is considered only if you're the first person reporting it to Sophos. We commit to having 48 business hours to respond to the report, and up to 90 days to implement a fix based on the severity of the report. Note that posting details or conversations about this report before it has been approved for disclosure or posting details that reflect poorly on this program or the Sophos brand will result in forfeiture of any award and/or immediate removal from the program.
DO NOT use automated scanners and tools to find vulnerabilities.
For testing services and products that require credentials, please create an account on your own using your @bugcrowdninja.com email address. Your 'bugcrowdninja' email address is your email@example.com. All emails will go to the email address associated with your account.
If for some reason your IP address or account are banned during your research activity please contact us at firstname.lastname@example.org and we'll restore your access ASAP.
Qualifying bugs will be rewarded via Kudos based on severity, to be determined by Sophos security team. Rewards may range from Kudos to Sophos-branded swag. Awards are granted entirely at the discretion of Sophos.
At Sophos discretion, providing more complete research, proof-of-concept code and detailed documentation may incur a bonus percentage on the bounty awarded. Conversely, Sophos reserves the right to less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible, or misstated.
The following are out of scope:
- Sophos AWS Infrastructure
- Sophos operated blogs
- any 3rd party hosted service (anything hosted by a software/cloud vendor), even if branded as Sophos.
- Sophos Support Chat functionality on any of Sophos externally facing assets
The following finding types are specifically excluded from the bounty:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
- Lack of Security Speedbump when leaving the site.
- Weak Captcha / Captcha Bypass
- Login or Forgot Password page brute force and account lockout not enforced.
- OPTIONS HTTP method enabled
- Username / email enumeration
- via Login Page error message
- via Forgot Password error message
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
- SSL Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL weak / insecure cipher suites
- DoS/Denial of Service attacks, or resource exhaustion attacks against Sophos online products and services.
- Software version disclosure
- Social Engineering attacks
- Results of automated tools/scanners - Do NOT use automated scanners and tools to find vulnerabilities
- Results of automated/scripted testing of web forms, especially "Contact Us" forms
- Clickjacking/UI redressing
- Information Disclosure
- Vulnerabilities affecting older browsers (IE < 9, Chrome < 40, Firefox < 35, Safari < 7, Opera < 13)
This bounty follows Bugcrowd’s standard disclosure terms.
This bounty requires explicit permission to disclose the results of a submission.