Opera Public Bug Bounty

Opera is a leading global internet brand with a large, engaged and growing base of over 380 million average monthly active users.

  • $50 – $5,000 per vulnerability
  • Up to $10,000 maximum reward
  • Safe harbor
Submit report

Opera Bug Bounty Newsletter - May again :-)

Opera Bug Bounty Newsletter

I. Heavy ticket traffic

We’re experiencing heavier than normal ticket traffic in our bounty programs, and this could lead to slower response times in some cases. We apologize for the inconvenience, we’ll get back to all of you.

II. Android hackers wanted

Opera’s public bug bounty program features Opera for Android. So far we didn’t get a lot of reports there. Therefore in order to help people understand what kind of attack vectors we would be happy to pay for, and which are a waste of time, we wrote this blog post:
https://blogs.opera.com/security/2021/05/opera-browser-for-android/

III. Opera browsers are Chromium-based, but Chromium is out-of-scope

The Chromium issues are considered out-of-scope, even when an older version of Chromium is involved.

In other words:

  • Opera for Android (public program) = Chromium + “Opera for Android features”
  • Opera PC (private program) = Chromium + “Opera PC features”
  • Opera GX (private program) = Opera PC + “Opera GX features”

You should assume that only “Opera features” are in scope of the program. We’re eager to get your reports about issues with Flow, Crypto Wallet, VPN client, and so on. We will not, however, accept submissions related to Chromium. Opera for PC is normally always based on the latest version of Chromium, but GX sometimes is not (this will change with time though).

Please also ensure that the attack scenario is realistic, and consistent with other rules we’ve detailed in the respective program’s brief.

IV. Please don’t report “EXIF data not stripped”

We’re not hosting a whistleblower site, a forum for military personnel in deployment, or anything that would justify this kind of functionality. Therefore we don’t consider this a bug at all.

V. Reminder on Opera’s rewarding philosophy

Please note that Opera’s public program scope is divided into primary and secondary targets. We pay more for vulnerabilities affecting primary targets, as these are of higher value to us. Secondary targets are a mix of low to medium value assets. If you’re primarily after money, focus on the primary targets.

The Opera Bounty Council decides on actual payments considering the following criteria, in that specific order:

  • Business value of the target. Whenever a direct revenue, Opera brand, user trust or personal data disclosure at scale is at stake, the report will be high-value (even if the target will be in the secondary group).
  • Security impact. That means BugCrowd’s VRT plus exploitability. The more potential damage we were saved from by disclosing a vulnerability, the higher the payout.
  • Quality of the report. Well described submissions with demonstrated due diligence, accurate and realistic assessment of the issue and its implications, developed exploit or PoC will qualify for the highest reward.

Regards,
Opera Security Team

TheOperaSinger
TheOperaSinger