Here at Opera, we are excited to work with the security community to secure our products and services. Before reporting a vulnerability, please make sure you review the following program rules. Good luck, and happy hunting!
A demonstrated security impact described in the ticket by the reporter and then confirmed by Opera is the key factor that drives bounty range. We expect the reporter to provide a realistic attack scenario, evaluate the impact and honestly report it. The more potential damage we were saved from by disclosing a vulnerability, the higher the payout.
Some examples of high-impact vulnerabilities:
|Confirmed impact||Bounty [USD]|
|A demonstrated leak of end-user personal data from production servers at scale (database or file storage dump, or ability to harvest data systematically).||5-10K|
|Ability to deface or modify a key Opera production website (e.g. www.opera.com).||5-10K|
|Break a significant “security requirement”  of any Opera’s product.||2-10K|
|A demonstrated scenario to take administrative control over core infrastructure in production (network devices, hardware, hypervisors).||5-10K|
|A demonstrated scenario to take administrative control over web application panels in production.||1-5K|
|Anything less impactful.||< 1K|
|No impact was demonstrated in the submission.||0|
 Examples of what constitutes breaking a significant security requirement:
- Use Opera paid services or premium features for free.
- Hijack end-user valuable assets (account balances, earnings, artifacts).
- Theft of arbitrary files from the local system.
- Opera Account takeover without any social engineering.
- Disclosure of secrets (e.g. messages in Flow).
- Spoofing of full URL bar or SSL integrity checks bypass.
- Vertical privilege escalation.
- 0-click disclosure of browsing history.
- Achieving native code execution.
- Memory corruption leading to a limited or arbitrary memory read or write.
Please note that in terms of the quality of your report, we will be looking at the following points:
- The issue description is clear and understandable.
- The issue is a vulnerability, not simply a security risk or missing best practice.
- The target and attack method is in-scope as per our program’s brief.
- A realistic, repeatable, and unconditional attack scenario is provided.
- A real security impact is honestly reported.
- Reproduction steps, proof of concept, or exploit is submitted and it works.
To qualify for any monetary reward, all of those requirements have to be met.
Please note that any manipulative behavior or other counts of not complying with Bugcrowd’s Code of Conduct will also be taken into account, and may result in disqualification from being rewarded even if the submission is valid.
Video PoC & Screenshots
If you create a video PoC, please do so on a password-protected Vimeo upload and include the link in your submission. Please embed screenshots into your submission rather than just simply uploading them as attachments. We strongly recommend setting English locale when taking screenshots or recording videos.
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email firstname.lastname@example.org. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.