• $100 – $50,000 per vulnerability
  • Safe harbor

Updates to the Sophos Program

There have been updates within the scope details as of May 03, 2023. This update brings about the following changes in the Research section of the bounty brief:

Researchers should use test accounts or test systems where possible, such that the security and privacy of real users is protected. At all times, make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of Sophos services. Do not modify or destroy data that does not belong to you.

Potentially destructive tests, including denial of service, require prior written consent by Sophos.

Reach out to, if a potentially destructive test on a production system is required to find, or confirm, a finding.

Denial of Service testing against Sophos Central is explicitly prohibited and will not be approved at this time.

As always, please be sure to review the program brief on a regular bases for future scope updates, in detail, and if you have any questions, please reach out

Name URL Description Change
Sophos Research Section Scope

Happy Hunting!