OPPO Security Center

Welcome (the reporter of vulnerabilities, hereinafter referred to as the reporter) to use the OPPO Security Response Center platform service. This Agreement stipulates the rights and obligations of Guangdong OPPO Mobile Telecommunications Corp., Ltd. and its related enterprises (hereinafter referred to as "OPPO") and users who log in and use the OPPO Security Response Center (security.oppo.com, OSRC) (hereinafter referred to as "reporters") in terms of vulnerabilities collection and submission on the OSRC website. Please read this Agreement carefully before submitting vulnerabilities. The act of the reporter to use this platform to submit vulnerabilities indicates that the reporter has completely and accurately read and understood the contents of this Agreement, and is willing to be bound by the Agreement. OPPO reserves the right to modify and update this Agreement from time to time, and the reporter shall pay attention to the latest version hereof. If you have any objection to the modifications or you disagree with the rules published by OSRC, please stop using the service immediately.
    This Agreement shall go into effect after the reporter clicks "agree".

I. Definition

1.1 To OPPO, the related enterprise refers to the particular party which is directly or indirectly owned or controlled by OPPO through contractual arrangement or by any other means, or owns or controls OPPO, or with which OPPO is under the same control by any other subject.

1.2 Confidential information refers to any exclusive and/or confidential information related to the scope of the Agreement which is disclosed by one party (“OPPO”) to the other party (“the reporter”) through any carrier in oral or written form.

II. Confidentiality

2.1 The reporter shall keep secret for the confidential information and promise to treat all the confidential information disclosed by OPPO prudently at least to the extent how the reporter treats with and prevents his/her own confidential information from being disclosed externally, which shall not be lower than the reasonable extent. Without the prior written consent of OPPO, the reporter shall not disclose any such confidential information to any third party.

2.2 The reporter pledges to submit vulnerabilities with good intention, responsibility and a cooperative attitude. OPPO will respond as soon as possible after the submission. If such vulnerabilities indeed exist, OPPO will communicate with the reporter in time and confirm the progress of the vulnerabilities fixing. To ensure user security, the reporter shall pledge not to disclose relevant vulnerabilities-related information to any third party before such vulnerabilities are fixed.

2.3 If the reporter finds that the vulnerability may be exploited by other malicious attackers or is known by a third party that actually exists, the reporter shall notify OPPO of this situation first. OPPO will confirm whether there is an actual threat and decide whether and how to take preventive or repair measures based on the overall situation. Even if the above-mentioned actual threat exists indeed, the reporter will respect and trust the handling of the vulnerability by OPPO and agree to not disclose the vulnerability-related information to any third party.

2.4 In the process of discovering the vulnerability, if the reporter gets contact with data of OPPO or users and knows that such data is confidential, the reporter will not plagiarize, steal, change, use, or copy, carry, distribute, or leak such data by any means such as downloading and storing. Under no circumstances shall the ownership of OPPO on such data be transferred in any form.

2.5 The reporter undertakes that he/she will not use the discovered vulnerability to seek other benefits beyond the rating and rewards provided by this platform.

2.6 The reporter shall not, in any identity and in any way, make any public or nonpublic comments on the vulnerabilities and intelligence information involved in this Agreement. If you are unable to confirm whether certain information is confidential, you shall also protect it as confidential information.

III. Confidentiality Period

3.1 The obligation of the reporter to protect the confidential information under this Agreement cannot be removed until OPPO discloses the confidential information.

3.2 This Agreement shall remain effective for a long term from the day it comes into force.

IV. Restriction for Use

4.1 The reporter promises to use the confidential information only for the purpose of projects. The reporter is expressly prohibited from using the confidential information of OPPO for any other purposes other than projects.

4.2 At OPPO's written request at any time, the reporter shall: (1) return to OPPO all the confidential information of OPPO, all the documents or media containing such confidential information, and all the copies or abstracts of such information, or (2) destroy all the documents or media containing such confidential information, and all the copies or abstracts of such information, and provide OPPO with a written certificate of such destruction signed by an authorized representative of the reporter.

4.3 The reporter shall not carry out reverse engineering, decompilation or disassembling on any software disclosed to him/her, and shall not delete, overprint, or smear any copyright, trademark, logo, identification, marginal data or other ownership statement on any original or copy of the confidential information disclosed by OPPO.

4.4 The reporter shall not use the vulnerabilities and relevant information provided by the vulnerabilities and information of the OSRC website. To be concrete, you shall not engage in the following activities:

1) Enter into the computer information network or use the computer information network resources without permission;

2) Delete, modify or add computer information network functions without permission;

3) Delete, modify or add data and applications stored, processed in or transmitted into the computer information network without permission;

4) Deliberately make and spread destructive programs such as computer viruses;

5) Other behaviors that endanger the security of the computer information network.

If you violate the above-mentioned commitments OPPO will have the right to take such measures as cancelling your account. If OPPO suffers any losses due to your aforesaid behaviors, you shall compensate for that.

4.5 When using the OSRC website, the reporter shall abide by national and local laws and regulations, industry practices and social public ethics, and shall not use the OSRC website and its related services to store, release and disseminate the following information and content:

1) Any content (information) that violates national laws, regulations, and policies;

2) Political propaganda or news information in violation of state regulations;

3) Information concerning state secrets or security;

4) Feudal superstitious, obscene, pornographic and indecent information or information that instigates others to commit any crime;

5) Lottery with prizes and gambling games;

6) Information that violates national ethnic and religious policies;

7) Information that impedes the Internet security;

8) Information that infringes the lawful rights and interest of others or other information or content that is detrimental to social order, public security, and public morality;

You also promise not to provide any convenience to others for publishing the information (content) above that does not comply with the national regulations or the terms of this Agreement, including but not limited to setting URL links.

V. Ownership

5.1 You understand and agree that the vulnerabilities you submitted on the OSRC platform whose existence is verified by OSRC will be subsequently handled by OSRC by default.

5.2 You understand and agree that the ownership and all the intellectual property rights of the vulnerability report submitted by you on the OSRC platform are owned by OPPO. Without the written consent of OPPO, you shall not use, disclose to any third party or allow such party to use the aforesaid vulnerability report and such intellectual property rights. If you violate this term, OPPO has right to recover all the rewards issued to you and hold you accountable by law.

5.3 This Agreement shall not be deemed as setting any obligation for any party to enter into any contractual arrangement of any kind in the future.

VI. Warranty

All the confidential information disclosed hereunder is provided "as it is", without any expressed, implied or otherwise warranties of any kind with respect to its accuracy or performance, fitness to any particular purpose, or non-infringement.

VII. Applicable Laws

7.1 The rights and obligations of both parties hereunder shall be governed by the laws of the People's Republic of China which have been promulgated and entered into force. OPPO reminds you to read it carefully and consider the risks by yourself. Minors shall read this Agreement in the company of a legal guardian.

7.2 If the parties fail to settle any dispute, divergence or claim arising from or in connection with the interpretation of this agreement or any of its terms (including any issues concerning the conclusion, existence, validity, performance, default or termination of this Agreement), such dispute, divergence, or claim shall be submitted to People's Court of Nanshan District of Shenzhen in the place where the contract is signed, and settled by lawsuit.

VIII. Bonus Conversion Instructions

8.1 The bonus will be transfered through a third party bank account.

8.2 At the time of settlement, we will convert the bonus into US dollars at the exchange rate of the day.Exchange rate reference: http://www.pbc.gov.cn/zhengcehuobisi/125207/125217/…

OSRC Vulnerability Rewards and Scoring Criteria

Effective Date：11/08/2022

Security Vulnerability Scoring Standards for Internet Applications V3.0

Security Vulnerability Scoring Standards for Devices (Mobile Phones) V2.0

Security Vulnerability Scoring Standards for IoT Devices V2.0

Security Intelligence Scoring Standards V2.0

Malicious Behavior Scoring Standards for Developers' Apps V2.0

Internet：Web, Mobile APP, Server Vulnerability

Property Type

Critical

High

Moderat

Low

OPPO-owned properties

Core properties

Non-core properties

$2800-$5000

$440-$740

$700-$1100

$150-$440

$150-$300

$40-$75

$15-$30

$10-$15

Test environments

$75-$150

$40-$75

$5-$15

0-$5

Third-party properties

$120-$150

$30-$60

Security Intelligence Vulnerability

Property Type

Critical

High

Moderat

Low

OPPO-owned properties

Core properties

Non-core properties

$2800-$5000

$440-$740

$700-$1100

$150-$440

$150-$300

$40-$75

$15-$30

$10-$15

Device, IOT security Vulnerability

Critical

High

Moderat

Low

$2960-$10,000

$740-$2360

$140-$440

$30-$75

Developer APP Vulnerability

Critical

High

Moderat

$740-$1480

$150-$300

$75-$150

If a special critical vulnerability is reported, the highest reward will be up to $14400, and OSRC will apply for a special reward for the researcher.

OPPO Official Website

ColorOS

Submit Vulnerability Report

Get PGP Public Key