submit bug report:https://bugcrowd.com/sophosProgram Overview
At Sophos, we understand the effort that goes into security research. To show our appreciation to researchers, who help keep our products and our customers safe, we are glad to introduce a Responsible Disclosure Program to provide recognition and rewards for responsibly disclosed vulnerabilities.
Sophos rewards the responsible disclosure of any identified and confirmed security vulnerability that could be used to compromise the confidentiality, integrity, or availability of Sophos products, as well as services and infrastructure impacting Sophos' or users' data.
In general no credentials or product keys will be provided for this program - all testing is to be performed using self-provisioned credentials against legally obtained Sophos products, including free trials. See the section Credentials for more details.
The severity of submissions will be determined using CVSSv3.1 according to Sophos' internal standard.
Research
Researchers should use test accounts or test systems where possible, such that the security and privacy of real users is protected. At all times, make a good faith effort to avoid privacy violations as well as destruction, interruption or segregation of Sophos services. Do not modify or destroy data that does not belong to you.
Potentially destructive tests, including denial of service, require prior written consent by Sophos.
Reach out to security-alert@sophos.com, if a potentially destructive test on a production system is required to find, or confirm, a finding.
Denial of Service testing against Sophos Central is explicitly prohibited and will not be approved at this time.
Reporting
Rewards or recognition require that the Sophos security team can reproduce and verify an issue and that the security impact is clear.
Reproduction steps need to be clear, and may include screenshots, videos, scripts, etc.
DO NOT use the output from automated scanners and tools as the entire vulnerability report.
Rewards
Rewards will be provided according to the rules of this bug bounty program as outlined above. At the discretion of Sophos, quality, creativity, or novelty of submissions may modify payouts within a given range.
In case of multiple reports about the same issue, Sophos will reward the earliest submission, regardless of how the issue was reported.
Issues in Security Features
Reports about bugs or limitations in Sophos product security features, such as the ability to bypass a particular filter, are out of scope for the Sophos Bug Bounty Program and not eligible for rewards upon acceptance, unless explicitly stated otherwise in the section Special Targets below.
Valid reports about novel security feature bypasses will be forwarded to the respective product team and subsequently tracked as P5/Informational on the Bugcrowd platform.
At the sole discretion of the Sophos Product Management team, individual reports may be rewarded on a case by case basis after the fact.
Responsible Disclosure
Sophos takes responsibility for disclosing product vulnerabilities to customers. To encourage responsible disclosure, we ask that all researchers comply with the following Responsible Disclosure Guidelines:
Allow Sophos an opportunity to both correct and disclose a vulnerability (including any CVE, if applicable) first within a reasonable time frame.
Allow Sophos' customers 30 days to install the security patch before disclosing vulnerability details to anyone.
Coordinate with Sophos on any publication of vulnerability details.
Sophos advises its customers that those who exploit security systems often do so by reverse engineering published security updates, and therefore encourages its customers to patch timely.
For the full responsible disclosure policy, please refer to and comply with the Sophos Responsible Disclosure Policy.
Reward Eligibility
Current employees or contractors of a Sophos Group entity are not eligible to participate in the program. Former employees and contractors are eligible to participate in the program only, if
they have left the Sophos Group entity more than 1 year prior to submission, and
they are not making use of, or referring to, any non-public Sophos information obtained when they were an employee or contractor.
Credentials
For testing services and products that require credentials, please create an account on your own using your @bugcrowdninja.com email address. Your bugcrowdninja email address is your username @bugcrowdninja.com. All emails will go to the email address associated with your account.
If for some reason your IP address or account are banned during your research activity, please contact us at bugbounty@sophos.com and we'll restore your access ASAP.
dev.phishthreat.com
To obtain credentials for the dev.phishthreat.com target, please email phishthreatbounty@gmail.com with your Bugcrowd username.
Special Targets
Sophos Endpoint Products
Sophos offers a broad range of Endpoint protection products on multiple platforms (Windows, Mac, Linux, Android, iOS, etc.), including (but not limited to) Anti-Virus and Exploit Prevention. Relating to our Endpoint protection products, we are particularly interested in:
Privilege escalation via Sophos Endpoint products, including (but not limited to):
Unauthorized disabling of components, services, or features (including crashes, hangs, etc.)
Weak architecture (including the resulting inability to address a class of issues, ...)
Disclosure of information (e.g. unauthorized access of other users, files, etc.)
File parsing and/or scanning-related crashes, hangs, memory-corruption, etc.
Bypassing exploit prevention technologies (if present in a product)
For example, innovative mechanisms for injecting code into other processes, leading to privilege escalation
False negatives (undetected malware) are excluded from the program. However, we encourage you to submit any false negatives via
https://support.sophos.com/support/s/filesubmission or email to samples@sophos.com.
Sophos Optix
To test Sophos Optix, follow these instructions:
On your Sophos Central Dashboard, scroll down to find the card titled "Cloud Security Posture Management"
Click on "Go to product dashboard" or the "Activate Cloud Optix" button
You will be greeted with setup instructions
Click on the 2nd button labelled "Go to Demo Console"
LEGAL
By engaging or participating in this bug bounty program, you agree to treat the following types of information as Sophos’s confidential information and not divulge to any third person (except disclosure to Sophos through the Bugcrowd platform) any such information until disclosure is approved in writing by Sophos:
(i) all information you receive or collect about Sophos and its products, or any of Sophos’s customers during your participation in this program; and/or
(ii) vulnerability report and any vulnerability.
Disclosure of Sophos’s confidential information to any third parties before Sophos’s approval forfeits the reward and could disqualify you from participating in this bug bounty program in the future. Please notify Sophos immediately upon discovery of any loss or unauthorized disclosure of confidential information.
You must notify Sophos immediately if you:
(i) gain access to another person's accounts or data;
(ii) destroy any data, or
(iii) cause interruption or degradation of Sophos’s infrastructure and services. Additionally, if you encounter personally identifiable information, customer data or other sensitive information, please contact Sophos immediately, and do not retain any copies of such information.
By submitting your vulnerability report, you perpetually allow Sophos and its affiliates and subsidiaries the unconditional ability to use, modify, create derivative work from, distribute, publish and display information provided in your report or to have others do the same on Sophos’s behalf, and these rights cannot be revoked.
Sophos cannot provide a reward if you’re a minor, on a sanctions list, or live in a country that is on a sanctions list.
You must comply with all applicable laws in connection with your participation in this program.
As a participant in this program, you will not be deemed to be in breach of applicable Sophos license provisions so long as your actions are consistent with this bug bounty brief.
