Sign In Join
sss Log Off

OPPO Mobile Telecommunication Co., Ltd.
Procedures for Treatment of Reports about External Threats

Revision Records:

V1.0 2018-8-15 Release the first edition

V1.1 2018-9-01 Update the vulnerability rating criteria

V1.2 2018-11-1 Upgrade the reward amount and add business factors to vulnerability rating

I. Basic Principles

1. OPPO attaches great importance to the security of its own products and services, and has always been committed to ensuring user security. We hope to strengthen the cooperation with individuals, organizations and companies in the industry through the OPPO Security Response Center (hereinafter referred to as OSRC) to improve the overall security level of OPPO.

2. OPPO supports responsible disclosure and handling process of vulnerabilities. We promise to give thanks and reward to every user who abides by the spirit of white hat, protects the interest of users, and helps OPPO improve the security quality.

3. OPPO opposes and condemns all hacking behaviors that take vulnerability testing as a pretext to exploit the security vulnerabilities to damage and harm the interest of users, including but not limited to exploiting the vulnerabilities to steal user data, invade business systems, modify and steal relevant system data, and maliciously disseminate the vulnerabilities or data. OPPO will hold the person with such behaviors accountable.

Ⅱ. Procedures for Feedback and Treatment of Threat Reports

1. Registration and login

Threat reporters shall visit https://id.oppo.com, register an account, and complete personal data correctly.

2. Vulnerability submission

Threat reporters log in to OSRC, (website: https://security.oppo.com, and submit an order to report the threat information (status: pending review). The information shall be detailed (when demonstrating the vulnerability, proving its danger is enough. It is strictly forbidden to download it). Do not disclose or spread the related information of vulnerability until it is fixed.

3. Vulnerability verification

3.1 Within 1 working day, the OSRC staff will confirm the received threat report, follow up it and start to assess the problem.

3.2 Within 7 working days, the OSRC staff will review the problem and give a conclusion (status: to be assigned/ignored). The staff will communicate with the reporter for confirmation if necessary, and the reporter shall assist with that.

4. Vulnerability fixing

4.1 The Business Department shall fix the security problems revealed in the threat report and schedule updates (status: fixed). The fixing time depends on the severity of the problem and the difficulty to fix them. Generally speaking, a serious problem can be fixed within 24 hours, a high-risk problem within 48 hours, a medium-risk problem within 3 working days, and a low-risk problem within 7 working days. Limited by version release, the fixing time for security problems of mobile phone applications and mobile phone systems 4.1shall be determined based on the actual situation.

4.2 If the threat reporter has checked the status of the submitted vulnerabilities and has any objection, he/she may communicate with the staff within 7 working days after the threat is confirmed. For more details, please refer to the measures for settlement of disputes.

5. Acknowledgement and feedback

5.1 Within the first week of each month, OSRC will publish the threat report treatment announcement of the previous month, to acknowledge the reporters and publicize the treatment situation.

5.2 The reporters shall provide detailed information and take the reward.

III. Threat Report Rating Criteria

OPPO threat report contains two major parts: security vulnerabilities and security information.

1. Business grading and business coefficients

1.1 According to the degree of importance, business related to OPPO can be classified into: core business, general business, and third party business.

1.1.1 Core business: OPPO Official Website, OPPO Store, OPPO AppStore, OPPO Game Center, OPPO Advertising Alliance, OPPO Cloud, OPPO ID, OPPO Community, OPPO Open Platform, OPPO Marketing Platform, ColorOS, OPPO+, OPPO Browser, and OPPO Theme Store.

1.1.2 General business: Business other than the core business of OPPO.

1.1.3 Third party business: Business of third parties of OPPO, such as the agent marketing system. For the third party business, only high-risk and major vulnerabilities will be handled.

1.2 The business coefficient of core business is 2, that of general business is 1 and that of third party business is 0.2.

1.3 The final reward amount= basic reward amount * business coefficient. The reward is briefly introduced as follows:

Category Major High-risk Medium-risk Low-risk Notes
Basic reward amount 3000-4000 1000-2000 200-500 50-100 The highest reward for special major vulnerability of core business is 50,000 yuan
Core business 6000-8000 2000-4000 400-1000 100-200
General business 3000-4000 1000-2000 200-500 50-100
Third party business 600-800 200-400 0 0

2. Security vulnerability rating criteria

The security vulnerabilities are classified into two major categories--"conventional security vulnerabilities" and "mobile security vulnerabilities". The hazard grades of vulnerabilities are: Serious, high-risk, medium-risk, low-risk and none.

2.1 Conventional security vulnerabilities: Including security vulnerabilities of the system network, the servers and the Web terminals, etc. The rating criteria for server-end vulnerabilities are the same as those for the WEB-end. The grading and description of vulnerabilities are as follows:

2.1.1 Major: The basic reward amount is 3000-4000 yuan. If a special major vulnerability is provided, the highest reward can be up to 50,000 yuan, and the OPPO OSRC will apply for a special reward for the reporter.

Major vulnerabilities include but are not limited to:

① Vulnerabilities that can be exploited to directly obtain system permissions (server permissions). Including but not limited to remote execution of any command or code, upload of any file to get Webshell, buffer overflow, SQL injection to obtain the highest system permissions, and weak passwords of systems or databases.

② Critical flaws in logic design. Including but not limited to signing in with any OPPO ID, and changing OPPO ID passcode at will.

③ Major leakage of sensitive information. Including but not limited to critical SQL injection in core databases, and obtaining of certain back-end permissions to access a large amount of core business data.

Major vulnerabilities include but are not limited to:

2.1.2 High-risk: The basic reward amount is 1000-2000 yuan. High-risk vulnerabilities include but are not limited to:

① Vulnerabilities that can be exploited to directly steal sensitive information. Including but not limited to SQL injection in non-core databases, stored XSS vulnerabilities that can spread automatically, XXE vulnerabilities that can be exploited to obtain any information, and SSRF that can be used to obtain large amounts of sensitive information on an intranet.

② Unauthorized sensitive operations. Including but not limited to unauthorized account operations to obtain or modify important information, execute orders, modify important service configurations, etc.

③ Leakage of sensitive information. Including but not limited to access to any files, and leakage of large chunks of source code.

2.1.3 Medium-risk: The basic reward amount is 200-500 yuan.

Medium-risk vulnerabilities include but are not limited to:

① Vulnerabilities that require user interaction to take effect. Including but not limited to CSRF involving core businesses.

② Common unauthorized operations. Including but not limited to modifying user data and performing user operations by bypassing restrictions.

③ Leakage of general information. Including but not limited to web path traversal and system path traversal.

④ Common flaws in logic design and in process. Including but not limited to logic flaws in important systems that can be exploited to bypass verification code, and restrictions that can be bypassed to conduct credential stuffing attacks.

2.1.4 Low-risk: The basic reward amount is 50-100 yuan.

Low-risk vulnerabilities include but are not limited to:

① Vulnerabilities that may lead to minor information leakage. Including but not limited to leakage of paths, SVN files, git files, log files, PHPinfo, log printing, and configuration information.

② Vulnerabilities that are difficult to exploit but pose security risks. Including but not limited to reflected XSS, transmittable and exploitable Self-XSS, CSRF that requires the construction of some parameters and has a certain impact, and URL jumping.

2.1.5 None:The basic reward amount is 0 yuan.

This grade of vulnerabilities include but are not limited to:

① Bugs that do not involve security issues. Including but not limited to issues such as functional defects of products, garbled pages, style mixing, directory traversal of static files, and app incompatibility.

② Vulnerabilities that cannot be exploited. Including but not limited to meaningless reports by vulnerability scanners (such as lower versions of Web Server), Self-XSS, JSON Hijacking that involves no sensitive information, CSRF with no sensitive operations, abnormal leakage of meaningless information, and leakage of intranet IP address/domain name.

③ Vulnerabilities that cannot be reproduced, and other issues that cannot directly become vulnerabilities. Including but not limited to issues that are mere conjectures by users.

④ Other vulnerabilities that pose very low risks.

2.2 Mobile-terminal security vulnerabilities: Security vulnerabilities of the mobile terminal taking ColorOS as the core. Including security vulnerabilities of the mobile terminal taking ColorOS and APPs of OPPO as the core.

2.2.1 Serious: The basic reward amount is 3000-4000 yuan. If a special major vulnerability is provided, the highest reward can be up to 50,000 yuan, and the OPPO OSRC will apply for a special reward for the reporter.

Major vulnerabilities include but are not limited to:

① Vulnerabilities for directly getting access to the highest authority of the client terminal. Including but not limited to direct access to android system permissions due to OPPO modifications, remote arbitrary command execution, available browser use after free vulnerabilities due to OPPO modifications, breakthroughs in google sandbox or TrustZone, remote kernel code execution vulnerabilities, and other remote code execution vulnerabilities caused by logical problems.

② Critical flaws in logic design. Including but not limited to access to sensitive information by bypassing access restrictions such as bypassing the lock screen, etc. Modification of password for any accounts or access to any account cloud information caused by OPPO Apps.

③ Remote access to the sensitive information of users without being noticed by users.

2.2.2 High-risk:The basic reward amount is 1000-2000 yuan.

High-risk vulnerabilities include but are not limited to:

① Unauthorized access to sensitive information. Including but not limited to authority vulnerabilities of Android components that affect the business operation, such as Broadcast message forgery.

② Leakage of sensitive information. Including but not limited to app that can be directly exploited and local SQL injection, etc.

③ XSS vulnerabilities of critical client products through which sensitive information can be obtained or sensitive operations can be executed.

2.2.3 Medium-risk: The basic reward amount is 200-500 yuan.

Medium-risk vulnerabilities include but are not limited to:

① Common unauthorized operations. Including but not limited to incorrect direct object reference.

② Leakage of general information. Including but not limited to password stored in cleartext on the client terminal.

③ Remote denial of service. Including but not limited to remote denial of services (special characters, file format) on the client terminal.

④ Wrong settings. Potential hazards such as resulting in the failure of the security strategies.

⑤ The logical vulnerabilities of interfaces may give rise to such vulnerabilities as user-cheating and phishing, etc.

2.2.4 Low-risk: The basic reward amount is 20-100 yuan.

Low-risk vulnerabilities include but are not limited to:

① Local SQL injection for app without sensitive information.

② Problems in important apps caused by exposure of Android component permissions and common app permissions.

③ Mobile app remote code execution vulnerabilities that attack through an intermediary and a valid PoC is provided.

2.2.5 None:The basic reward amount is 0 yuan.

This grade of vulnerabilities include but are not limited to:

① Local denial of service without security impact.

② Bugs that do not involve security issues. Including but not limited to product functional defect, scrambled numbers on pages, and style mix, etc.

③ Vulnerabilities that cannot be reproduced, and other issues that cannot directly become vulnerabilities. Including but not limited to issues that are mere conjectures by users.

④ Other vulnerabilities that pose very low risks.

3. Security report rating criteria

Security information can be vulnerability clues, intrusion information, black and grey industry exploitation clues, data leakage clues, and so on. According to the hazardous degree, it is divided into serious, high-risk, medium-risk and low-risk and none, 5 grades in total. The following are the specific rating criteria and clue cases.

3.1 Major: The basic reward amount is 3000-4000 yuan.

The clues include but are not limited to:

① The server is intruded and relevant clues have been provided such as the intrusion approach. For example, the business server has been intruded and relevant behavioral characteristics have been provided, which is convenient for quickly positioning and confirming the problems.

② The important business database has been dragged and relevant clues have been provided such as the database name or the database file. For example, the business database has been dragged, and detailed information of the database has been provided, which is convenient for quickly positioning and confirming the problems.

③ Clues to major financial logical vulnerabilities, such as serious logical vulnerabilities in payments;

3.2 High-risk: The basic reward amount is 1000-2000 yuan.

The clues include but are not limited to:

① There is worm propagation and relevant clues have been provided such as the link of worm propagation. One instance is the large-scale worm propagation caused by important business storage type XSS.

② User identity information has been stolen on a large scale and relevant clues have been provided such as the attack code. For example, identity information is stolen on a large scale due to vulnerabilities.

3.3 Medium-risk: The basic reward amount is 200-500 yuan.

The clues include but are not limited to:

New types of attack patterns, technologies and so on that can help improve the defense system against hazards with high risk and above level, for example, new WebShell, DDoS and other attack patterns;

3.4 Low-risk: The basic reward amount is 50-100 yuan.

The clues include but are not limited to:

Information that has not caused losses to the user but has impact on the business, for example, the verification code is bypassed and the system is attacked and denies service, etc.

3.5 None: The basic reward amount is 0 yuan.

Information that has little or even negligible impact on the business.

4. General principles of the rating criteria

4.1 The rating criteria are only for threat reports that have impact on OPPO products and business. The domain names include but is not limited to coloros.com, oppo.cn, oppo.com, oppoer.me, oppomobile.com (for other domain names, please refer to the definition of core business herein). The server includes the server operated by OPPO, and the products are the products released by OPPO on client terminal. There will be no score for threat information that has no impact on OPPO business security.

4.2 General principles for review of vulnerabilities of third-party products:

① Servers: Including but not limited to vulnerabilities generated in the components, OpenSSL and third-party SDK, etc. related to the servers that are being used by OPPO, such as Tomacat and Apache. The time for disclosing the submitted vulnerability is within one month and if OPPO has learnt it from other channels, it will not be reviewed and approved. If OPPO still does not know it, the vulnerability has been exposed for more than one month, and OPPO still has vulnerabilities, the first one to submit the vulnerability shall get a reward, and generally the grade is no higher than medium-risk.

② Client terminals: Including but not limited to native vulnerabilities of android and common vulnerabilities of app, etc. The time for disclosing the submitted vulnerability is within three months and if OPPO has learnt it from other channels, it will be reviewed and approved; if OPPO is still not informed of it, the vulnerability has been exposed for more than three months, and OPPO still has vulnerabilities, the first one to submit the vulnerability shall get a reward, and generally the grade is no higher than medium-risk.

4.3 If multiple vulnerabilities are generated from the same vulnerability source, generally the first one to submit the vulnerability shall get the reward, and the number of vulnerabilities shall be counted as one.

4.4 For the same url link, if there are multiple similar vulnerabilities in multiple parameters, they shall be merged as appropriate. For different types of vulnerabilities in the same link, reward shall be given to the one with the highest hazardous degree.

4.5 The vulnerability reports shall be as detailed and standardized as possible. The detailed degree of the vulnerability details, the principle of the vulnerability, the pattern of exploitation, the suggestion for its fixing and so on shall affect the assessment of the vulnerability to a certain extent. Vulnerability submission without providing poc or exploit or detailed analysis will directly affect the assessment of the vulnerability.

4.6 There will be no score for submission of threat information that is already publicly available online.

4.7 The final review of each vulnerability is determined by the difficulty of exploiting it, the hazardous degree, and the scope of its impact.

4.8 Reject the scanner result without proof of the actual hazard.

4.9 There will be no score for behavior under the pretext of security testing, exploiting the intelligence information to harm the interest of users, affect the normal operation of the business, disclose before the fixing of vulnerabilities, and steal the user data, etc., and OPPO shall reserve the right to take further legal actions.

5. Principle for points accumulation

5.1 After the reporter submits a valid vulnerability, points of the same amount as the value of the vulnerability assessment shall be generated correspondingly. For example, ZHANG San submits a major vulnerability, the value of which assessed by OSRC is 2000 yuan. Meanwhile, OSRC will grant ZHANG San 2000 points.

5.2 The number of vulnerabilities submitted by the reporter and the accumulated points will be used for the annual ranking, and OSRC will give special rewards to the White Hats who have made outstanding contributions in the year.

6. Reward granting principles

6.1 The bonus will be transfered through a third party bank account.

6.2 In the first week of each month, OPPO Security Response Center will make settlement of the rewards for all the valid vulnerabilities in the previous month, and announce the reward results on the OSRC website. The cash reward shall be paid within twenty working days, and the payment might be postponed if there are special circumstances. Your understanding will be appreciated.

6.3 If the first week of the month is a statutory holiday (such as the Spring Festival or the National Day), the settlement date will be postponed, and the time of announcement and bonus release will also be postponed.

6.4 To enable the bonus transfer, we need to collect from you the following information: Account Name,Bank Name,Account IBAN No,SWIFT. The OPPO Security Response Center promises that all personal information submitted by White Hats will only be used for the release of bonus and will not be used for any other purpose or be leaked out.

7. Dispute Resolution

In the process of threat information treatment, if the reporter has objections to the processing flow, the threat information assessment and threat information scoring, etc., please give feedback in time through the comment function on the current threat reporting page or the button of “Contact the Administrator” on the page. OPPO Security Response Center will process the information by the principle of taking the interest of threat reporters as priority, and may involve external parties to make a joint decision if necessary.

OPPO Security Response Center has the right to give the final interpretation of this incentive program within the extent permitted by law. You are also welcomed to give us your valuable suggestions and comments.