Opera Public Bug Bounty

Opera is a leading global internet brand with a large, engaged and growing base of over 380 million average monthly active users.

  • $50 – $5,000 per vulnerability
  • Up to $10,000 maximum reward
  • Safe harbor
Submit report

Opera Bug Bounty Newsletter - May 2021

Opera Bug Bounty Newsletter

I. New targets!

We've just added several new targets to the scope of the program associated with https://www.yoyogames.com, most notably the flagship product GameMaker Studio 2, API endpoints and websites. It could be a nice opportunity to learn new things, and check out this cool project.

II. Join our private program too

The scopes of Opera’s private and public programs are non-overlapping, so you can find some interesting things to test there as well.

Here's info on how to join:
https://security.opera.com/bug-bounty/

III. Our Hacktivity

We also like to hack things, and we want to share some of our experiences with you to help you grow professionally. To that end, we are planning to publish several articles throughout the year about some of the exciting stuff we’re doing, and what we have learnt along the way.

First blog post is already here. This is a story of how Joshua Rogers from Opera Security Team found six zero days in Privoxy: https://blogs.opera.com/security/2021/05/fuzzing-http-proxies-privoxy-part-1/

IV. Scope

Please note that Opera’s public program scope is divided into primary and secondary targets. We pay more for vulnerabilities affecting primary targets, as these are of higher value to us. Secondary targets are a mix of low to medium value assets. If you’re primarily after money, focus on the primary targets.

V. How much we pay

  • The Opera Bounty Council decides on actual payments considering the following criteria, in that specific order: Business value of the target. Whenever a direct revenue, Opera brand, user trust or personal data disclosure at scale is at stake, the report will be high-value (even if the target will be in the secondary group).
  • Security impact. That means BugCrowd’s VRT plus exploitability. The more potential damage we were saved from by disclosing a vulnerability, the higher the payout.
  • Quality of the report. Well described submissions with demonstrated due diligence, accurate and realistic assessment of the issue and its implications, developed exploit or PoC will qualify for the highest reward.

Regards,
Opera Security Team

TheOperaSinger
TheOperaSinger