This post originally appeared on the Sophos Blog here.
Adversarial relationships between vendors and security researchers used to be common. Researchers would report a bug and the vendor – not all but certainly more than a few – would drag its feet in patching the problem. Then, the researcher would make the findings public and the vendor would criticize them for releasing information attackers could exploit.
In more recent years, things have improved. A growing number of companies now encourage researchers to dissect their products and take their best shots to find cracks in the armor. That means more vulnerabilities are discovered and fixed, and we’re all more secure as a result. The process is now popularly known as bug bounty programs, where researchers are rewarded for what they find, financially or otherwise.
Quickly finding and fixing vulnerabilities is something we at Sophos take very seriously. We’ve had our own responsible disclosure program for some time, and since June 2016 we’ve been partnering with Bugcrowd for a more robust experience.
This post explains how it works and outlines the rules for researchers who want to get involved.
Sophos Responsible Disclosure Program
Through Bugcrowd, Sophos runs what’s called the Responsible Disclosure Program. Before Bugcrowd, it was run off our website and produced inconsistent results. We formalized our approach with Bugcrowd, which allowed us to improve our researcher communications while streamlining internal processes to significantly improve response times.
Bugcrowd’s platform and management helped us turn our program into a supercharged channel for vulnerability discovery.
Sophos enterprise security architect Gene Melster said the partnership has quickly produced results:
Our bug bounty allows us to continuously assess our ongoing security posture, increase value from red team and pen testing exercises by focusing on more challenging and complicated security components, and in turn, allows us to generate better metrics on where our focus should be.
Qualifying bugs are rewarded via “kudos” based on severity, to be determined by Sophos’ security team. Rewards may range from kudos to Sophos-branded swag. At Sophos’ discretion, providing more complete research, proof-of-concept code and detailed documentation may incur a bonus percentage on the bounty awarded.
Conversely, Sophos might give less for vulnerabilities that require complex or over-complicated interactions or for which the impact or security risk is negligible or misstated.
The scope of this program is limited to technical security vulnerabilities in Sophos-owned applications, products and software. We don’t provide credentials or product keys – researchers must do all their testing with self-provisioned credentials against legally obtained Sophos products.
Melster said Sophos does run a private bug bounty that is invite-only and has higher risk and complexity applications in it.
Verifiable evidence that a vulnerability exists (screenshot/video/script) is required if a researcher is to receive recognition or an award for reported vulnerabilities. For more technically elaborate vulnerabilities, reproduction steps are required. Rewards or recognition will not be awarded if our security team cannot reproduce and verify an issue. When researching a bug, please also use test accounts (and systems where appropriate) such that security and privacy of real users is not affected.
Reward eligibility is considered only if you’re the first person reporting it to Sophos. We commit to having 48 business hours to respond to the report, and up to 90 days to implement a fix based on the severity of the report. Note that posting details or conversations about this report before it has been approved for disclosure or posting details that reflect poorly on this program or the Sophos brand will result in forfeiture of any award and/or immediate removal from the program. We don’t allow the use of automated scanners and tools to find vulnerabilities.
For testing services and products that require credentials, researchers must create an account on their own using their @bugcrowdninja.com email address. Your ‘bugcrowdninja’ email address is your email@example.com. All emails will go to the email address associated with your account.
If for some reason your IP address or account are banned during your research activity, you can contact us at firstname.lastname@example.org and we’ll restore your access ASAP.
Working with Sophos has been a great experience and we look forward to seeing their program evolve over time. To learn more about why security vendors are turning to the crowdsourced model, download our recent ‘Security Vendor Spotlight.’