In 2024, we became one of the first organizations to commit to CISA’s Secure by Design initiative. Aligned with our core organizational values around transparency, Secure by Design has been a guiding force as we continually evaluate and improve our security practices.
We recently passed the one-year anniversary of publishing our pledges for improvement and would like to publicly share the progress we have made against the seven core pillars of the Secure by Design framework.
I’m proud of the progress we’ve made this year but, of course, plans change and we haven’t fully-realized every goal yet. So expect further updates and, very soon, a fresh set of additional commits for the year ahead.
Multi-factor authentication (MFA)
Our 2024 pledge:
We pledge to release passkey support in Sophos Central and publish adoption statistics for this stronger MFA mechanism.
How did we do?
In November 2024, we launched passkey support to all customers using Sophos Central. This strategic step was aimed at enhancing authentication security through a phishing-resistant, passwordless login experience. Since its launch in December 2024, we’ve seen strong adoption, with over 20% of all authentications to Central now utilizing passkeys.
In addition to launching passkey support, we went a step further and now prevent the use of legacy MFA mechanisms such as SMS. Users of Central who rely on these legacy mechanisms are required to enrol in either a Time-based One-Time Password (TOTP) or passkey-based MFA during their next login.
Figure 1: Adoption of Sophos Central MFA mechanisms between December 2024 and July 2025
Default passwords
Our 2024 pledge:
We pledge to continue to disallow default credentials in all current and future products and services.
How did we do?
We have maintained this design principle and will continue to do so in our product development. Sophos products generate strong unique credentials, or require users to provide complex passwords upon setup, to help reduce the likelihood of unauthorized access.
Reducing entire classes of vulnerability
Our 2024 pledge:
In Sophos Firewall v21 (SFOS v21), we pledge to containerize key services related to Central management to add additional trust boundaries and workload isolation. Additionally, SFOS v22 will include an extensive architecture redesign, which will better containerize the Sophos Firewall control plane, further reducing the likelihood and impact of RCE vulnerabilities.
How did we do?
We are taking a risk-based prioritized approach to containerized workloads and have provided better workload isolation in the Sophos Firewall. Starting with the most important and exposed services, the releases of SFOS v21 and SFOS v21.5 included the first of these improvements . We will share details of the progress we are making with the Sophos Firewall control plane rearchitecture for SFOS v22 in a follow-up article, since it won’t be released until later in 2025.
Security patches
Our 2024 pledge:
Running the latest firewall firmware version offers additional security benefits beyond receiving security hotfixes by default. With this in mind, we pledge to release a feature by September 2025 that enables customers to automatically schedule Sophos Firewall (SFOS) firmware updates.
How did we do?
Sophos plans to include the ability to automatically schedule firmware updates with the release of SFOS v22 when it’s released later in 2025. Helping our customers keep their Sophos Firewall firmware up to date is a priority to us to help keep them secure. Currently, 99.41% of our customers’ firewalls benefit from automatically receiving OS-level hotfixes as they are released, thanks to the wide adoption of our automatic hotfix deployment feature.
Vulnerability disclosure policy
Our 2024 pledges:
-
Increase transparency and add to collective industry knowledge by publishing blog posts that review findings and lessons learned from our vulnerability disclosure program
-
Increase the maximum reward available to security researchers.
How did we do?
Since our last post in June 2024, we have continued to invest in our public bug bounty program and the great work that researchers share with us. This year alone we have reviewed more than 800 bug bounty submissions for Sophos products. We have rewarded over $500,000 USD to the researcher community since we started the program back in December 2017 . Today, Sophos ranks among the top Bugcrowd vendors offering the highest rewards per valid finding.
To help incentivize and increase the likelihood of finding critical vulnerabilities which could impact Sophos products, we have made a few key improvements this year which align to our pledges:
- We increased the maximum reward possible for our Windows Intercept X product by $20,000 USD; researchers can now earn $80,000 USD for a P1 submission
- We added a new reward which pays up to $50,000 USD for a P1 finding in Central
- We extended our premium bug bounty scope to include monetary rewards for valid vulnerabilities identified in Taegis and Redcloak, following Sophos’ acquisition of Secureworks earlier in 2025.
We plan to share insights and lessons learned from the bug bounty program in a follow-up post later this year.
CVEs
Our 2024 pledge:
We pledge to extend our internal processes to consistently publish external CVEs for all identified internal vulnerabilities of a severity of high or critical in our products.
How did we do?
We have met this pledge by expanding our internal processes to ensure that any vulnerability identified internally and assessed as high or critical severity is prepared for external CVE publication. Although no vulnerabilities have yet been identified which meet this threshold for publication, the updated processes are fully in place and ready to support consistent and transparent disclosure going forward.
Transparently publishing CVEs for internally discovered issues helps our customers better understand the security posture of our products, supports informed decision-making, and reflects our commitment to industry best practices.
Evidence of intrusions
Our 2024 pledge:
We pledge to provide additional integration capabilities in Sophos Central to simplify the ingestion of audit logs into third parties, with target implementation prior to July 2025.
How did we do?
While we have made foundational progress toward this goal, we’ve had to adjust the timeline to reflect the significant organizational changes and new product opportunities resulting from our acquisition of Secureworks earlier in 2025.
We remain fully committed to this pledge and will continue to provide updates as we roll out improvements.
Having reviewed our progress against the commitments we made last year, we’re now focused on the road ahead. In the near future, we’ll share the updated pledges we’re making for the coming year— building on what we’ve learned, where we’ve advanced, and where we still have work to do. Our mission remains the same: to continuously strengthen the security, transparency, and trustworthiness of our products, in alignment with the Secure by Design principles.
