FireBounty
52235 policies in database
Link to program      
2024-01-18
2024-01-30
OPPO - Bug Bounty Program logo
Thank
Gift
HOF
Reward

Reward

OPPO - Bug Bounty Program

Chinese New Year Notice

Thank you all for your reports and hard-work on our program.
The Chinese New Year holiday will be from February 8th to February 18th.
As a result, there will inevitably be delays in processing some of the vulnerability reports we receive.
We would like to seek your understanding and patience during this time.

General Principles

OPPO attaches great importance to the security of its products and services, and is committed to ensuring user data security. We hope to work closer with individuals and organizations, including companies, in the industry through the OPPO Security Response Center (OSRC) to improve our overall security level.

OPPO supports responsible vulnerability disclosure and handling. We promise to set up a dedicated team to follow up, analyze, and handle any vulnerability reports and give a timely reply.

Scope of Application

The scoring standards apply to three types of OPPO properties: OPPO-owned , test environments, and third-party properties. OPPO-owned can be further divided into core and non-core properties based on their importance.

OPPO-owned

OPPO-owned refers to properties whose domain names are owned by OPPO.
The following lists some of OPPO-owned :

  • OPPO Official Website,
  • OPPO Shop,
  • OPPO App Market,
  • OPPO Game Center,
  • OPPO Advertising Alliance,
  • OPPO Cloud Service,
  • OPPO Membership,
  • OPPO Community,
  • OPPO Open Platform,
  • OPPO Marketing Platform,
  • ColorOS,
  • OPPO+,
  • OPPO Browser,
  • OPPO Theme Store.

Domain names of OPPO websites include but are not limited to the following:

  • *.oppo.com
  • *.oppo.cn
  • *.myoppo.com
  • *.opposhop.cn
  • *.coloros.com
  • *.nearme.com
  • *.oppomobile.com
  • *.oppofind.com
  • *.myoas.com
  • *.heytap.com
  • *.heytapmobi.com
  • *.realme.com (realme)
  • *.realme.net (realme)

Package names of OPPO mobile apps include but are not limited to the following:

  • com.oppo.usercenter
  • com.heytap.usercenter
  • com.nearme.atlas
  • com.nearme.wallet
  • com.coloros.browser
  • com.nearme.browser
  • com.heytap.browser
  • com.oppo.market
  • com.heytap.market
  • com.oppo.cloud
  • com.heytap.cloud
  • com.coloros.findphone.client
  • com.coloros.findphone.client2
  • com.coloros.findmyphone
  • com.oppo.speechassist
  • com.coloros.speechassist
  • com.nearme.instant.platform
  • com.coloros.backuprestore
  • com.coloros.encryption
  • com.coloros.securepay

Core Properties

Services in the Core properties*
Breeno
Browser
My OPPO
HeyTap Cloud
Wallet

Domain names, IP addresses, and mobile apps of the above services are in the scope of core properties.

Non-core Properties

Non-core properties refers to OPPO-owned assets that are not in the scope of core properties.

Test Environments for OPPO-owned

Test environments for OPPO-owned are intended for development and testing purposes. The domain names may contain either "dev" or "test", or either of the following:

  • *.wanyol.com
  • *.myoas.net

Third-Party Properties

OPPO's third-party properties includes its agent systems and supplier systems. OPPO only accepts and handles high- and critical-risk vulnerabilities in its third-party properties. OPPO's third-party systems include but are not limited to the following:

  • id-sso.xiniaoyun.com
  • sso-sa.yeahzee.com
  • sso-me.yeahzee.com
  • esign.myoas.com
  • yezi-me.yeahzee.com
  • yezi-sa.yeahzee.com

Notes: Apart from the above, vulnerabilities in any third-party system or service (such as Smartbi and Yonghong Y-Reporting) that is embedded in OPPO-owned systems or products are also accepted as third-party vulnerabilities. The specific situation is subject to OSRC's explanation. Any other third-party vulnerability will no longer be accepted.

Rewards for Reported Vulnerabilities

The rewards are determined based on the type of properties and the hazard level. (Unit: USD, after taxes)

Property Type Critical High Moderate Low
OPPO-owned properties Core properties $2220-$4440 $590-$890 $120-$180 $15-$30
OPPO-owned properties Non-core properties $440-$740 $150-$440 $40-$75 $10-$15
Test environments $75-$150 $40-$75 $5-$15 0-$5
Third-party properties $120-$150 $30-$60 0 0

Note of the severity rating

We do believe all systems have their pros and cons.
From our perspective, CVSS score is not flexible enough for us to evaluate reports.
We will therefore apply a standardized CVSS score to match with the severity of the issue we feel appropriate.

Severity Default CVSS Score CVSS values
Low 3.7 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Medium 5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Critical 9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Scoring Rules

We have defined four levels for web app security vulnerabilities based on the degree of their impact: Critical, High, Moderate, and Low.

Web App Security Vulnerabilities

Level Example of Vulnerability and Impact
Critical Including but not limited to:
1. Directly obtain permissions to servers that host important data and processes as well as other important data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions.
2. Serious leakages of sensitive information, including but not limited to SQL injection in core databases (relating to funding, user identity, and transaction) and interface problems which allow individuals to obtain the identity information, order information, and bank card information of large numbers of key users.
3. Serious logic design flaws and process flaws, including but not limited to interface problems allowing individuals to consume the money in any bank account, log in to any OPPO account, and change the password of any OPPO account.
High Including but not limited to:
1. Directly obtain permissions to servers that host general data and processes as well as other general data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions.
2. Leakages of sensitive information, including but limited to SQL injection in non-core databases, leakage of source code packages, reversible server application encryption or storage of passwords as plain text, hard coding, and GitHub sensitive information leakage (including but not limited to the leakage of key server accounts and their passwords).
3. Unauthorized access to sensitive information, including but not limited to direct access to the backend by bypassing authentication, weak backend passwords, and Server-side Request Forgery (SSRF) enabling individuals to obtain large amounts of sensitive Intranet data.
4. Unauthorized manipulation of sensitive data, including but not limited to modification of important information, manipulation of orders, and modification of important configurations through an unauthorized account.
5. Other vulnerabilities that affect users on a large scale, including but not limited to Stored XSS on important pages that can cause automatic spread of and allow acquisition of authentication credentials (cookies).
Moderate Including but not limited to:
1. Vulnerabilities that can affect users only through interaction, including but not limited to Stored XSS to general web pages and major Cross-site Request Forgery (CSRF) vulnerabilities. All vulnerability descriptions must provide the proof of the harm to other users.
2. Ordinary unauthorized operations, including but not limited to bypassing restrictions to modify user information and perform user operations.
3. Leakages of ordinary information, including but not limited to web path traversal, system path traversal, and plain-text password transmission over the HTTP when a HeyTap account is used for sign-in.
4. Ordinary logic design flaws and process flaws, including but not limited to flaws in the verification code logic for important systems that cause the verification and relevant restrictions to be bypassed, leading to credential stuffing attacks.
5. Unrestricted brute-force attacks on important account systems.
Low Including but not limited to:
1. Vulnerabilities allowing individuals to access user identity information only in specific unpopular browser environments (for example, IE6). Such vulnerabilities include but are not limited to Reflected XSS (including Reflected DOM-based XSS) and Stored XSS in ordinary properties.
2. Minor information leakages, including but not limited to leakage of path information, SVN information, PHP information, exceptions information and configuration settings, log printing and plain-text password transmission over HTTP when a non-HeyTap account is used for sign-in.
3. Unauthorized access, including but not limited to client-side active defense bypass and OPPO URL redirection vulnerabilities. (Note that redirecting an OPPO URL to a normal website is not considered a vulnerability. If PoC for URL redirection shows that an OPPO URL can be redirected to any domain doesn't belong to OPPO without any prompts displayed, then there is a vulnerability. Otherwise no vulnerability exists.
4. Vulnerabilities that are difficult to exploit but may cause security risks. Such vulnerabilities include but are not limited to Self-XSS that may cause the spread and exploitation of XSS, JSON Hijacking that has obtained sensitive information, clickjacking on input web pages containing sensitive information (a valid exploit must be provided in the vulnerability details), CSRF attacks involving unimportant sensitive information, and remote code execution through man-in-the-middle (MITM) attacks (valid PoC must be provided in the vulnerability details).
5. Other vulnerabilities that can only cause slight impact. Such vulnerabilities include but are not limited to inappropriate configuration settings for system/service maintenance and operations and vulnerabilities in component-level permissions.
6. Verification code message/email bombing, which means that a single IP or user keeps sending more than 50 verification code messages/emails to the same mobile number/email box within 30 minutes. (Note: Reported problems wherein the same interface is used to send one verification code message/email to an unlimited number of mobile numbers or email boxes will be ignored.)
NSI Including but not limited to:
1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, directory traversal that has caused the leakage of meaningless or non-sensitive information, and application compatibility issues.
2. Vulnerabilities that cannot be exploited, including but not limited to a scanner's meaningless vulnerability reports (such as a report on a low web server version), meaningless XSS (such as Self-XSS attacks), XSS that uses social engineering or phishing, POST based XSS, JSON hijacking involving no sensitive information, leaking of meaningless exception information, leaking of IP addresses or domain names in the intranet, meaningless clickjacking, HTTP request smuggling, obtaining the user's cookies by exploiting unconfigured CORS during user interaction, and brute-force attacks that cannot be further exploited.
3. CSRF attacks involving no sensitive information, including but not limited to adding items to or deleting items from an online shopping cart, as well as executing actions on an online forum such as logging out of an account, giving likes, following others, publishing posts, making comments, and sending flowers.
4. Traversals and leakages of non-sensitive information. Such information includes but is not limited to middleware version and non-sensitive information.
5. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses.
6. Cracking of 6-digit verification codes by distributed equipment.
7. Other vulnerabilities with extremely low risks.

Notes:

  • ① A weak backend password vulnerability can be rated as moderate at most if the attacker accesses no sensitive information or performs no sensitive operations after logging in to the backend with the weak password.

  • ② In principle, vulnerabilities detected at the backend will be downgraded.

  • ③ Only vulnerabilities directly resulting in denial-of-service (DoS) attacks will be accepted. The ratings of such vulnerabilities depend on the vulnerability itself and the way it is exploited. High-traffic, high-concurrency DoS vulnerabilities will not be accepted.

  • ④ The exploitation of vulnerabilities includes but is not limited to exploiting web vulnerabilities such as XSS and URL redirection to attack apps, and such vulnerabilities are rated as moderate. Newly discovered exploitation circumstances can be escalated as appropriate.

  • ⑤ Types of vulnerabilities that will not be accepted:

    • Recently disclosed 0-day vulnerabilities(a researcher should wait around 30 days of cool down period to report).
    • Disclosure of known public files or directories.
    • Use of a known-vulnerable library without a description of an exploit specific to our implementation.
    • OPTIONS / TRACE HTTP method enabled.
    • Login/logout/unauthenticated/low-impact CSRF
    • Software version disclosure.
    • Cookies that keep working after logout.
    • Presence of autocomplete attribute on web forms.
    • Cookies that lack HTTP Only or Secure settings for non-sensitive data.
    • Self-XSS and issues exploitable only through Self-XSS.
    • Reports generated from automatic tools or scans.
    • Issues related to network protocols or industry standards.
    • Username enumeration based on login, forgot password, account creation and registration pages.
    • Enforcement policies for brute force or account lockout.
    • Unsecured SSL/TLS or SSH configurations.
    • Unrealistically impractical complex clickjacking.
    • Mail configuration issues including SPF, DKIM, DMARC settings.
    • Password or account recovery policies, such as reset link expiration or password complexity.
    • Publicly accessible login panels.
    • Lack of email verification when registering an account.
    • Use of a known-vulnerable library (without proof of exploitability).
    • Content spoofing / text injection.
    • Missing security headers.
    • Mixed content issues.
    • Issues related to active sessions after password changes.
    • Hyperlink injection in emails using forms available to any user.
    • Reports of credentials exposed by other data breaches / known credential lists.
    • Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard. * presence/misconfiguration in these.
    • Man-in-the-Middle attacks, except for sensitive information such as passwords.
    • Functional product defects, garbled pages, style mixing, file path traversals that do not cause impact to OPPO.
    • ⑥ Definitions and levels of sensitive information:
Types of Sensitive Information Level
Type Description
Sensitive personal information of users Sensitive personal information of users is all kinds of information recorded in relation to identified or identifiable natural persons (excluding anonymized information), including but not limited to: personal biometric information, personal identification information, specific identification information, personal financial property information, personal medical and health information, children's personal information, as well as personal communications, contacts, and locations.
Sensitive information of employees Sensitive information of employees includes but is not limited to their: ID card number and address, medical reports, salary related data, bank account number, home address, contact information of family members, religious beliefs, and marriage records.
Other Other sensitive information leaks are assessed based on the actual harm caused.

Notes:

  1. The above employees refer to the employees of the Oplus Group, excluding employees of its agents and suppliers.

  2. The above quantities are used for general reference only and can be appropriately adjusted based on factors such as the importance of the system, the scale of data hosted by the system, and the importance of sensitive information.

Mobile App Security Vulnerabilities

This type of security vulnerability mainly refers to those in mobile devices powered by ColorOS/realme UI. It includes security vulnerabilities in ColorOS and realme UI built-ins and security vulnerabilities in OPPO's and realme's proprietary apps available in the App Market.

Level Example of Vulnerability and Impact
Critical Including but not limited to:
1. Remote code execution (RCE): The attacker is able to remotely execute arbitrary code with the app permissions, including but not limited to a remote memory corruption vulnerability (complete exploit information should be provided), a code execution vulnerability caused by overwriting a dynamic library, and other RCE vulnerabilities caused by logic issues.
2. Remote silent installation of any app: The attacker installs any app remotely or through low-level user interaction.
3. Other severe logic vulnerabilities that can be exploited remotely: including but not limited to remote account takeover, lock screen bypass, money transfer, and other attacks that severely endanger a user's account or asset.
High Including but not limited to:
1. Arbitrary code execution (ACE): The attacker locally executes arbitrary code with the app permissions, including but not limited to a local memory corruption vulnerability (complete exploit information should be provided), a code execution vulnerability caused by overwriting a dynamic library, and other ACE vulnerabilities caused by logic issues.
2. Sensitive information leakages: The attacker obtains sensitive information on an app or device locally or through low-level user interaction. Such sensitive information includes login credentials, SMS messages, call history, contacts, browsing history, and other sensitive information in the private app directory.
3. Privilege escalation vulnerabilities: Such vulnerabilities allow individuals to gain elevated access to an app to perform dangerous operations, including but not limited to launching any protected component of the app, enabling silent installation of any app, modifying the security and privacy settings of the app, and making silent calls or sending silent SMS messages through the app permissions.
4. Other severe logic vulnerabilities: including but not limited to account takeover , lock screen bypass, money transfer, and other acts that are performed locally or through low-level user interaction and severely endanger a user's account or asset.
5. Vulnerabilities able to break the site isolation restrictions of a browser, including but not limited to UXSS.
Moderate Including but not limited to:
1. Arbitrary code execution or silent installation by staging MITM attacks (valid PoC must be provided in the vulnerability details).
2. Leakages of common information, including but not limited to the leakage of IMEI, IMSI, mobile number, and other common user information.
3. Remote denial of service vulnerability.
Low Including but not limited to:
1. Stealing of sensitive information by staging MITM attacks (valid PoC must be provided in the vulnerability details).
2. UI deception vulnerabilities that may cause actual harm. The risk level for this kind of vulnerability can be defined based on the actual harm.
NSI Including but not limited to:
1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, static directory traversals, and application compatibility issues.
2. Vulnerabilities of no significance, including but not limited to a scanner's meaningless vulnerability reports (such as an automatic app analysis report on code decompilation and lack of security reinforcement).
3. Vulnerabilities that result from necessary risky permissions but cannot be exploited. Such vulnerabilities include but are not limited to necessary component exposures, such as activity export.
4. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses.
5. Local denial-of-service vulnerabilities: Bugs that can only be launched locally on the phone and cause apps to crash temporarily without leading to further security issues.
6. Other vulnerabilities with extremely low risks.

Notes:

The following explains concepts involved in, for example, mobile app security vulnerabilities that can be triggered only through actions such as inducing a user to click a link or phishing email, or to install malicious software:

  • Remote(ly): An online attack requires no physical contact with a user's mobile phone. Usually the attacker uses a browser, IM software or SMS messages to launch an attack.
  • Local(ly): It is necessary for the attacker to induce the victim to install malicious apps on the phone, or the attacker directly uses ADB commands, NFC, Bluetooth, or any other function to launch an attack.
  • Low-level user interaction: specific to scenarios where a security vulnerability can be triggered just by clicking on a link.
  • High-level user interaction: specific to scenarios where a security vulnerability can be triggered after an induced user installs a malicious app, clicks a phishing email, or clicks to confirm twice or more, or after a risk prompt is displayed.

Additional Rewards

We offer a reward as high as USD 14,800 for those who report especially significant security vulnerabilities. The exact amount is subject to the OSRC's decision after taking into account various factors.

Special Notes

Application for CVE IDs

OPPO is the world's 100th CVE Numbering Authority (CNA). We can help security researchers who report vulnerabilities in OPPO products apply for CVE IDs. Security researchers can send their applications to security@oppo.com. The OSRC will review their vulnerability reports in line with CVE requirements. If the review finds no problem, the OSRC will help the researchers apply for CVE IDs. For details, see the CVE ID Submission Instructions.

Repeated Vulnerability Reports

  • Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.
  • For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.
  • If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.
  • For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.

Zero-Day Vulnerabilities

The OSRC accepts zero-day (also known as 0-day) vulnerabilities found only in OPPO products and services.

General Vulnerability Review Principles for Third-Party Products

  • Server-side vulnerabilities: including but not limited to vulnerabilities in the components of Tomcat and Apache being used by OPPO, OpenSSL, and third-party SDKs. For a reported vulnerability which becomes publicly known within one month following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability one month after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.
  • Client-side vulnerabilities: including but not limited to Android-native vulnerabilities and common app vulnerabilities. For a reported vulnerability which becomes publicly known within three months following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability three months after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.
  • For vulnerabilities resulting from the same source, in general only the first reporter will be rewarded and the vulnerabilities will be counted as one.
  • If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For different types of vulnerabilities in the same URL, only the reporter of the vulnerability that has the greatest impact will be rewarded.
  • Vulnerability reports should be as detailed and compliant as possible. The details of a reported vulnerability, its working principle and exploits, and fix recommendations affect the scoring of the vulnerability to some extent. For a reported vulnerability, the lack of PoC, exploit information, or analysis details will directly affect the scoring.
  • Reporting threats or intelligence already published online will be given no score.
  • The review results for a vulnerability are determined based on the level of difficulty in exploitation as well as the degree and scope of its impact.
  • Scanner results without proof of harm will be considered invalid.
  • If you use security testing as an excuse to exploit security intelligence to harm the interests of users, affect the normal operation of our services, publish information about vulnerabilities before they are fixed, or steal user data, you will receive no score. In addition, OPPO will reserve the right to take legal action.

Payment of Rewards

  • In the first week of each month, the OSRC will conduct reward settlement for all reported vulnerabilities that are considered valid in the previous month, and announce the reward results on the OSRC website. Cash rewards will be paid within 20 working days. In the event of special circumstances, the payment may be postponed. We will be grateful for your understanding.
  • If the first week of a month is a statutory holiday (such as Chinese Spring Festival or National Day), the settlement date will be postponed to the next week. Likewise, the announcement and payment date will be postponed appropriately.

Dispute Handling

  • If you disagree with the vulnerability handling process, review, and scoring results, please send an email to security@oppo.com. The OSRC will handle the feedback by following the principle that reporters' interests come first. When necessary, the OSRC will bring in external experts for a joint decision.
  • The OSRC reserves the right to interpret this reward scheme to the extent permitted by law. We welcome suggestions from security researchers and reporters.

Prohibitions

OPPO opposes and condemns all hacking activities that use vulnerability testing as an excuse to exploit security vulnerabilities to harm users' interests. These activities include but are not limited to stealing user information, hacking production systems, modifying and stealing relevant system information, and maliciously spreading vulnerabilities or data. For details, see the SRC Security Test Specifications. For the above-mentioned behaviors, OPPO will pursue legal support and hold relevant people accountable in accordance with law.

Non-participants

OPPO and realme employees (including both regular and outsourced employees) and their immediate family members cannot participate in this reward scheme.

Clause Interpretation

The OSRC reserves the right to interpret all the above clauses.

In Scope

Scope Type Scope Name
api

OPPO-owned properties Non-core properties
undefined

OPPO-owned properties Core properties
undefined

Test environments
undefined

Third-party properties

Out of Scope

Scope Type Scope Name
undefined

All domains or subdomains not listed in the above list of 'Scopes'

This program crawled on the 2024-01-18 is sorted as bounty.

FireBounty © 2015-2024

Legal notices | Privacy policy