Surprised there is no 'banner' announcement of this in the community forum (I learnt about it from a third party security mailing list). I've said it before but I will say it again, I think it is a major failing of Sophos not to have a security alert mailing list.
Details here - https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce
How to check if your XG has been patched - https://support.sophos.com/support/s/article/KB-000044539?language=en_US
Thank you for reaching out and also for your contributions to the Community.
We have a number of communications tools that we use to keep our stakeholders informed of security incidents.
To say a web page is the primary location for notifications is ridiculous. How often do you want us to check a web page? Daily? Every hour? Every minute? The whole point of security advisories is that you want the information ASAP in realtime. Having to manually check a web page is not the way to deliver that sort of alert. The web page is fine for the details of an issue, not alerting us to new issues.
We are a Sophos partner. I have received no emails from Sophos about this.
I subscribe to your SMS alert service. I have received nothing about this and I don't believe you deliver security alerts via this mechanism anyway. Have you read the link you referenced? It's for the status of your services, not security alerts.
Sorry but this seems to be the Sophos 'way'. We, your Partners and customers, tell you that what you are doing is not satisfactory. You ignore us. How hard is it to create a mailing list? Every person and their dog seems to email me stuff I don't want.
I can confirm I have not received an SMS alert and I also miss a big warning about it when I go to the community or sophos home website.
Also there is no information if that hotfix has already been installed at our firewalls or not.
You could create a message here, just like you did with the exim patch:
That is not good..
Nothing on sophos support.