OSRC Vulnerability Disclosure Program

OPPO highly values the security of its products and services, and is committed to developing secure and reliable products and ensuring user privacy protection. In the meantime, we’ve realized that security researchers play an important role in protecting OPPO’s products and consumers, which is why the OSRC (OPPO Security Response Center) Vulnerability Disclosure Program (hereinafter referred to as the Program) is developed. The Program provides a secure channel for researchers to report security issues of the Company and offers effective measures to triage and mitigate the security vulnerabilities. We are truly grateful to the researchers who followed the practice of responsible disclosure and did not disclose the vulnerabilities prematurely during the time required for issue resolution. Premature public disclosure of the vulnerabilities will put OPPO users at higher risks. If you have identified any security vulnerabilities or issues in any domain names that belong to or relate to OPPO, you are advised to report the vulnerabilities in the website of OSRC.

To protect our users, OPPO will not disclose, discuss or confirm any security issues before a full investigation is completed with available updates.

Before you get into the details of the Program, please take a close look at the policies, terms, and conditions of the Program. If you disagree with the policies or terms of this program, you can exit the program and we will stop providing relevant services. If you continue to stay in the program, it means you fully understand and accept the following policies and terms.

Responsible Disclosure - Policy

When reporting a security vulnerability to OPPO, we ask that:

  • You give us reasonable time to investigate and mitigate an issue you report before making any information contained in the report public or information shared with 3rd.
  • You do not exploit a security issue you discover for any reason. This includes demonstrating additional risk, such as attempts to compromise sensitive company data or probing for additional issues.
  • You do not intentionally violate any other applicable laws or regulations.
  • You do not violate any privacy rules, privacy regulations, or cause disruptions to others including, but not limited to unauthorized access to or destruction of data and interruption or degradation of our services.
  • You read, agree and align with OPPO Company Privacy Policy.
  • You read, agree and adhere to our Responsible Disclosure Terms & Conditions.
Responsible Disclosure - Terms & Conditions
  • If you inadvertently or intentionally access OPPO and its affiliates’ proprietary customer, employee, or business related information during your testing, the information must not be used, disclosed, stored, or recorded in any way. Access to any such data must be declared as part of your vulnerability report.
  • By submitting information about a potential security vulnerability, you are granting OPPO a worldwide, permanent, royalty-free, non-exclusive license to use your submission for the purpose of addressing security vulnerabilities in OPPO or its affiliates’ products and services. We will respond to your report on OSRC, acknowledging receipt and updating you on our progress within 15 working days. Also we will continue to follow up on the issue until it is resolved. You can check the latest status of the vulnerability reports you submitted by logging into the official OSRC website. This allows you to keep track of the progress until we complete the fixes and close the vulnerability report. https://security.oppo.com/en/responsibleDisclosurehttps://security.oppo.com/en/ responsibleDisclosure
  • By submitting a security vulnerability report, you affirm that you have not previously disclosed the security vulnerability to anyone other than OPPO. Absent OPPO prior written consent, any disclosure outside of this process would be a violation of the terms & conditions of the Program.