OnePlus has unveiled its own bug bounty program, which they are calling the OnePlus Security Response Center or OneSCR for short. The premise is simple: If you (properly) find a vulnerability, you can get money in exchange for (properly) reporting it. The opening of this program comes nearly two years after the company disclosed a security breach in its payment portal, and one month after they disclosed a breach of customer data in the OnePlus Store.
This bug bounty program is a bit different compared to the equivalents from other companies, though, and this is because of payout amounts. While other companies are willing to offer several hundred thousand dollars for a very critical security vulnerability, OnePlus is offering up to $7,000 for what it deems to be the most critical threats, while smaller bugs will go as low as $50-$100. The Submission Policy page clarifies OnePlus’ stance on responsible/coordinated disclosure, account interaction, disallowed attack methods, ineligible issues, and finally, the payments.
Here’s the reward tier list:
- Special cases: up to $7,000
- Critical: $750 – $1,500
- High: $250 – $750
- Medium: $100 – $250
- Low: $50 – $100
While $7,000 is a decent sum for some people, it is a very far cry from what other companies offer. With a company of OnePlus’ size and scope, they’ve grown a lot larger since they launched the OnePlus One 5 years back you’d expect payouts for such a program to be just a bit more generous. Nonetheless, we hope the program will help to improve the security of OnePlus products.
OnePlus also says they will collaborate with HackerOne, a hacker-powered bug bounty platform, to launch a pilot program in 2020, inviting select security researchers to test their systems against potential threats.
0 Comments