Sophos’ Safe by Design 2025 Progress – Sophos Information

In 2024, we turned one of many first organizations to decide to CISA’s Safe by Design initiative. Aligned with our core organizational values round transparency, Safe by Design has been a guiding pressure as we regularly consider and enhance our safety practices.

We not too long ago handed the one-year anniversary of publishing our pledges for enchancment and wish to publicly share the progress we’ve got made towards the seven core pillars of the Safe by Design framework.

I’m pleased with the progress we’ve made this 12 months however, after all, plans change and we haven’t fully-realized each purpose but. So anticipate additional updates and, very quickly, a contemporary set of further commits for the 12 months forward.

Multi-factor authentication (MFA)

Our 2024 pledge:

We pledge to launch passkey help in Sophos Central and publish adoption statistics for this stronger MFA mechanism.

How did we do?

In November 2024, we launched passkey help to all prospects utilizing Sophos Central. This strategic step was geared toward enhancing authentication safety by way of a phishing-resistant, passwordless login expertise. Since its launch in December 2024, we’ve seen robust adoption, with over 20% of all authentications to Central now using passkeys.

Along with launching passkey help, we went a step additional and now forestall the usage of legacy MFA mechanisms comparable to SMS. Customers of Central who depend on these legacy mechanisms are required to enrol in both a Time-based One-Time Password (TOTP) or passkey-based MFA throughout their subsequent login.

Determine 1: Adoption of Sophos Central MFA mechanisms between December 2024 and July 2025

Default passwords

Our 2024 pledge:

We pledge to proceed to disallow default credentials in all present and future services.

How did we do?

We’ve maintained this design precept and can proceed to take action in our product improvement. Sophos merchandise generate robust distinctive credentials, or require customers to supply complicated passwords upon setup, to assist scale back the chance of unauthorized entry.

Decreasing whole lessons of vulnerability

Our 2024 pledge:

In Sophos Firewall v21 (SFOS v21), we pledge to containerize key companies associated to Central administration so as to add further belief boundaries and workload isolation. Moreover, SFOS v22 will embrace an in depth structure redesign, which can higher containerize the Sophos Firewall management airplane, additional decreasing the chance and influence of RCE vulnerabilities.

How did we do?

We’re taking a risk-based prioritized strategy to containerized workloads and have supplied higher workload isolation within the Sophos Firewall. Beginning with an important and uncovered companies, the releases of SFOS v21 and SFOS v21.5 included the primary of those enhancements . We are going to share particulars of the progress we’re making with the Sophos Firewall management airplane rearchitecture for SFOS v22 in a follow-up article, because it received’t be launched till later in 2025.

Safety patches

Our 2024 pledge:

Operating the most recent firewall firmware model presents further safety advantages past receiving safety hotfixes by default. With this in thoughts, we pledge to launch a characteristic by September 2025 that allows prospects to mechanically schedule Sophos Firewall (SFOS) firmware updates.

How did we do?

Sophos plans to incorporate the flexibility to mechanically schedule firmware updates with the discharge of SFOS v22 when it’s launched later in 2025. Serving to our prospects hold their Sophos Firewall firmware updated is a precedence to us to assist hold them safe. Presently, 99.41% of our prospects’ firewalls profit from mechanically receiving OS-level hotfixes as they’re launched, because of the broad adoption of our automated hotfix deployment characteristic.

Vulnerability disclosure coverage

Our 2024 pledges:

1. Enhance transparency and add to collective business data by publishing weblog posts that assessment findings and classes realized from our vulnerability disclosure program

2. Enhance the utmost reward accessible to safety researchers.

How did we do?

Since our final submit in June 2024, we’ve got continued to spend money on our public bug bounty program and the good work that researchers share with us. This 12 months alone we’ve got reviewed greater than 800 bug bounty submissions for Sophos merchandise. We’ve rewarded over $500,000 USD to the researcher neighborhood since we began this system again in December 2017 . At present, Sophos ranks among the many prime Bugcrowd distributors providing the very best rewards per legitimate discovering.

To assist incentivize and enhance the chance of discovering essential vulnerabilities which might influence Sophos merchandise, we’ve got made a number of key enhancements this 12 months which align to our pledges:

1. We elevated the utmost reward potential for our Home windows Intercept X product by $20,000 USD; researchers can now earn $80,000 USD for a P1 submission
2. We added a brand new reward which pays as much as $50,000 USD for a P1 discovering in Central
3. We prolonged our premium bug bounty scope to incorporate financial rewards for legitimate vulnerabilities recognized in Taegis and Redcloak, following Sophos’ acquisition of Secureworks earlier in 2025.

We’ve launched a brand new devoted Root Trigger Evaluation (RCA) part on our Sophos Belief Middle, the place we’ve got printed RCAs from current incidents. Moreover, we plan to share insights and classes realized from our bug bounty program in a follow-up submit later this 12 months.

CVEs

Our 2024 pledge:

We pledge to increase our inside processes to persistently publish exterior CVEs for all recognized inside vulnerabilities of a severity of excessive or essential in our merchandise.

How did we do?

We’ve met this pledge by increasing our inside processes to make sure that any vulnerability recognized internally and assessed as excessive or essential severity is ready for exterior CVE publication. Though no vulnerabilities have but been recognized which meet this threshold for publication, the up to date processes are absolutely in place and able to help constant and clear disclosure going ahead.

Transparently publishing CVEs for internally found points helps our prospects higher perceive the safety posture of our merchandise, helps knowledgeable decision-making, and displays our dedication to business finest practices.

Proof of intrusions

Our 2024 pledge:

We pledge to supply further integration capabilities in Sophos Central to simplify the ingestion of audit logs into third events, with goal implementation previous to July 2025.

How did we do?

Whereas we’ve got made foundational progress towards this purpose, we’ve needed to regulate the timeline to replicate the numerous organizational modifications and new product alternatives ensuing from our acquisition of Secureworks earlier in 2025.

We stay absolutely dedicated to this pledge and can proceed to supply updates as we roll out enhancements.

Having reviewed our progress towards the commitments we made final 12 months, we’re now targeted on the highway forward. Within the close to future, we’ll share the up to date pledges we’re making for the approaching 12 months— constructing on what we’ve realized, the place we’ve superior, and the place we nonetheless have work to do. Our mission stays the identical: to constantly strengthen the safety, transparency, and trustworthiness of our merchandise, in alignment with the Safe by Design rules.