This document answers frequently asked questions about bounty programs and explains the submission and confidentiality requirements of the programs.
The decisions made by OPPO Security Response Center (OSRC) are final and binding. OSRC may cancel this program at any time, for any reason. Be sure to read all of these terms before sending us any submission. If you send us a submission for this program, you are agreeing to these terms. If you do not want to agree with these terms, do not send us any submissions or otherwise participate in this program.
OPPO places great importance on the security of our own products and services, and we have always been committed to user security. With OSRC, we hope to improve the overall security level of OPPO by strengthening our cooperation with individuals, organizations and companies in the industry.
OPPO supports responsible disclosure and management of security vulnerabilities. We promise to scrupulously abide by the principles of the white hat hackers to protect the interests of the users. We are grateful and appreciative of our users who have helped OPPO improves its security.
OPPO opposes and condemns all hacking behaviors which exploit security vulnerabilities that compromise and damage the interests of users on the pretext of vulnerability testing, including but not limited to the act of using such vulnerabilities to steal user data, break into business systems, modify and steal related system data, as well as malicious dissemination of such vulnerabilities or data. OPPO shall hold whoever committed any of the above-mentioned liable for such acts.
Any web site,Color OS,Mobile App owned by OPPO are in scope for the program. Including:OPPO Official Website, OPPO Store, OPPO AppStore, OPPO Game Center, OPPO Advertising Alliance, OPPO Cloud, OPPO ID, OPPO Community, OPPO Open Platform, OPPO Marketing Platform, ColorOS, OPPO+, OPPO Browser, OPPO Theme Store.
The main categories of vulnerabilities that we are sincerely looking for are:
If you have found any security issue in our products or services, we encourage you to notify us.We are looking forward to working with you to resolve the issue promptly. In case of reporting any security vulnerability, please be noted that you may including following information (Qualified Reporting):
WHAT CAN I DISCLOSE ABOUT A VULNERABILITY REPORT I SUBMITTED FOR BOUNTY AND WHEN CAN I DISCLOSE IT?
If you report a vulnerability, you are agreeing that you will never disclose functioning exploit code (including binaries of that code) for the applicable vulnerability to any other entity, unless OSRC makes that code generally publicly available or you are required by law to disclose it.
Please do not discuss the vulnerability in any form prior to OSRC notifying you that it is fixed. Disclosing a vulnerability before we notify you that it has been fixed may render you ineligible to participate in any bounty programs.
Please contact firstname.lastname@example.org if you intend to discuss the vulnerability after it has been fixed. This includes blog posts, public presentations, whitepapers and other media. We’re happy to advertise your public talk here.
CVEs are an industry standard for uniquely identifying vulnerabilities. To avoid confusion, it’s important that the first public mention of a vulnerability should include a CVE. For vulnerabilities that go past deadline, we ensure that a CVE has been pre-assigned.
Low severity issues are generally addressed in the next major versions, instead of through our Monthly Security Bulletins, and we will generally not assign CVEs for this severity level.
After the bug is fixed, we will issue a security advisory on the website. and what problems have been fixed in the latest software release.