[{"id":3770538,"new_policy":"OPPO’s commitment to global researcher collaboration significantly enhances product security. \nWe welcome hackers worldwide to submit security vulnerability reports related to OPPO services. Your contributions will help enhance the security of OPPO's business and products. \nOPPO program on H1 currently accept vulnerabilities in the following areas :\n\n**Web/App services**\nFor the scope of acceptance, please refer to:\n🔹 Google Document (detailed domain/package name scope): https://docs.google.com/spreadsheets/d/1K2knhissfw817g_wLNQYJLGIn--j9HKHYBXsdALrD8Y/edit?usp=sharing\n\nNotes:\nIn addition, if other businesses nested within a certain coefficient business are involved, they will be calculated according to their actual belonging coefficients. For example, an high level property embedded within an open platform or mid level property nested within an e-commerce platform will be calculated based on the mid level property. The specific circumstances will be clarified by OSRC.\n\n**Web Application Scoring Rules**\nWe have defined four levels for mobile phone security vulnerabilities based on the degree of their impact: Critical, High, Moderate, and Low.\n# Level\n# OPPO Vulnerability Severity and Bounty Table\n\n| Level | Example of Vulnerability and Impact | Bounty Range (USD) |\n|-------|-----------------------------------|-------------------|\n| **Critical** | **Including but not limited to:**\u003cbr\u003e\u003cbr\u003e1. Directly obtain permissions to servers that host important data and processes as well as other important data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions.\u003cbr\u003e\u003cbr\u003e2. Serious leakages of sensitive information, including but not limited to SQL injection in core databases (relating to funding, user identity, and transaction) and interface problems which allow individuals to obtain the identity information, order information, and bank card information of large numbers of key users.\u003cbr\u003e\u003cbr\u003e3. Serious logic design flaws and process flaws, including but not limited to interface problems allowing individuals to consume the money in any bank account, log in to any OPPO account, and change the password of any OPPO account. | **Extremely High:** 5000-11500\u003cbr\u003e**High:** 2900-4300 |\n| **High** | **Including but not limited to:**\u003cbr\u003e\u003cbr\u003e1. Directly obtain permissions to servers that host general data and processes as well as other general data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions.\u003cbr\u003e\u003cbr\u003e2. Leakages of sensitive information, including but limited to SQL injection in non-core databases, leakage of source code packages, reversible server application encryption or storage of passwords as plain text, hard coding, and GitHub sensitive information leakage (including but not limited to the leakage of key server accounts and their passwords).\u003cbr\u003e\u003cbr\u003e3. Unauthorized access to sensitive information, including but not limited to direct access to the backend by bypassing authentication, weak backend passwords, and Server-side Request Forgery (SSRF) enabling individuals to obtain large amounts of sensitive Intranet data.\u003cbr\u003e\u003cbr\u003e4. Unauthorized manipulation of sensitive data, including but not limited to modification of important information, manipulation of orders, and modification of important configurations through an unauthorized account.\u003cbr\u003e\u003cbr\u003e5. Other vulnerabilities that affect users on a large scale, including but not limited to Stored XSS on important pages that can cause automatic spread of and allow acquisition of authentication credentials (cookies). | **Extremely High:** 2900-3500\u003cbr\u003e**High:** 2900-4300 |\n| **Moderate** | **Including but not limited to:**\u003cbr\u003e\u003cbr\u003e1. Vulnerabilities that can affect users only through interaction, including but not limited to Stored XSS to general web pages and major Cross-site Request Forgery (CSRF) vulnerabilities. All vulnerability descriptions must provide the proof of the harm to other users.\u003cbr\u003e\u003cbr\u003e2. Ordinary unauthorized operations, including but not limited to bypassing restrictions to modify user information and perform user operations.\u003cbr\u003e\u003cbr\u003e3. Leakages of ordinary information, including but not limited to web path traversal, system path traversal, and plain-text password transmission over the HTTP when a HeyTap account is used for sign-in.\u003cbr\u003e\u003cbr\u003e4. Ordinary logic design flaws and process flaws, including but not limited to flaws in the verification code logic for important systems that cause the verification and relevant restrictions to be bypassed, leading to credential stuffing attacks.\u003cbr\u003e\u003cbr\u003e5. Unrestricted brute-force attacks on important account systems. | **Extremely High:** 230-430\u003cbr\u003e**High:** 150-300 |\n| **Low** | **Including but not limited to:**\u003cbr\u003e\u003cbr\u003e1. Vulnerabilities allowing individuals to access user identity information only in specific unpopular browser environments (for example, IE6). Such vulnerabilities include but are not limited to Reflected XSS (including Reflected DOM-based XSS) and Stored XSS in ordinary properties.\u003cbr\u003e\u003cbr\u003e2. Minor information leakages, including but not limited to leakage of path information, SVN information, PHP information, exceptions information and configuration settings, log printing and plain-text password transmission over HTTP when a non-HeyTap account is used for sign-in.\u003cbr\u003e\u003cbr\u003e3. Unauthorized access, including but not limited to client-side active defense bypass and OPPO URL redirection vulnerabilities. (Note that redirecting an OPPO URL to a normal website is not considered a vulnerability. If PoC for URL redirection shows that an OPPO URL can be redirected to any domain doesn't belong to OPPO without any prompts displayed, then there is a vulnerability. Otherwise no vulnerability exists.\u003cbr\u003e\u003cbr\u003e4. Vulnerabilities that are difficult to exploit but may cause security risks. Such vulnerabilities include but are not limited to Self-XSS that may cause the spread and exploitation of XSS, JSON Hijacking that has obtained sensitive information, clickjacking on input web pages containing sensitive information (a valid exploit must be provided in the vulnerability details), CSRF attacks involving unimportant sensitive information, and remote code execution through man-in-the-middle (MITM) attacks (valid PoC must be provided in the vulnerability details).\u003cbr\u003e\u003cbr\u003e5. Other vulnerabilities that can only cause slight impact. Such vulnerabilities include but are not limited to inappropriate configuration settings for system/service maintenance and operations and vulnerabilities in component-level permissions.\u003cbr\u003e\u003cbr\u003e6. Verification code message/email bombing, which means that a single IP or user keeps sending more than 50 verification code messages/emails to the same mobile number/email box within 30 minutes. (Note: Reported problems wherein the same interface is used to send one verification code message/email to an unlimited number of mobile numbers or email boxes will be ignored.) | **Extremely High:** 20-45\u003cbr\u003e**High:** 15-40 |\n| **NSI** | **Including but not limited to:**\u003cbr\u003e\u003cbr\u003e1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, directory traversal that has caused the leakage of meaningless or non-sensitive information, and application compatibility issues.\u003cbr\u003e\u003cbr\u003e2. Vulnerabilities that cannot be exploited, including but not limited to a scanner's meaningless vulnerability reports (such as a report on a low web server version), meaningless XSS (such as Self-XSS attacks), XSS that uses social engineering or phishing, POST based XSS, JSON hijacking involving no sensitive information, leaking of meaningless exception information, leaking of IP addresses or domain names in the intranet, meaningless clickjacking, HTTP request smuggling, obtaining the user's cookies by exploiting unconfigured CORS during user interaction, and brute-force attacks that cannot be further exploited.\u003cbr\u003e\u003cbr\u003e3. CSRF attacks involving no sensitive information, including but not limited to adding items to or deleting items from an online shopping cart, as well as executing actions on an online forum such as logging out of an account, giving likes, following others, publishing posts, making comments, and sending flowers.\u003cbr\u003e\u003cbr\u003e4. Traversals and leakages of non-sensitive information. Such information includes but is not limited to middleware version and non-sensitive information.\u003cbr\u003e\u003cbr\u003e5. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses.\u003cbr\u003e\u003cbr\u003e6. Cracking of 6-digit verification codes by distributed equipment.\u003cbr\u003e\u003cbr\u003e7. Other vulnerabilities with extremely low risks. | No bounty |\n\n---\n\n**Note:** NSI = Not Security Issue (vulnerabilities that do not qualify for bounty rewards)\n\n** Mobile App Security Vulnerabilities **\nThis type of security vulnerability mainly refers to those in mobile devices powered by ColorOS or realme UI. It includes security vulnerabilities in ColorOS or realme UIbuilt-ins and security vulnerabilities in OPPO's and realme's proprietary apps available in the App Market.\n\n# Vulnerability Levels and Examples\n# OPPO Mobile Security Vulnerability Severity and Reward Table\n\n| Level | Example of Vulnerability and Impact | Reward (USD) |\n|-------|-----------------------------------|--------------|\n| **Critical** | 1. Arbitrary code execution in the TEE;\u003cbr\u003e\u003cbr\u003e2. Unauthorized access to TEE-protected data (only limited to fingerprints, face data, payment information, and other data that can cause property loss to the victim);\u003cbr\u003e\u003cbr\u003e3. Remote code execution in a privileged process or the TCB or ICE;\u003cbr\u003e\u003cbr\u003e4. Remote permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS);\u003cbr\u003e\u003cbr\u003e5. Remote bypass of interaction requirements for installing an app package or an equivalent action;\u003cbr\u003e\u003cbr\u003e6. Bypass of secure boot mechanism;\u003cbr\u003e\u003cbr\u003e7. Upgrading to firmware or image not signed by OPPO;\u003cbr\u003e\u003cbr\u003e8. Vulnerabilities allowing individuals to extract or infer private user information from the AI model file, such as images and sounds. | **$5,000-$11,500** |\n| **High** | 1. Remote code execution in an unprivileged process;\u003cbr\u003e\u003cbr\u003e2. Local arbitrary code execution in a privileged process, the TCB or ICE;\u003cbr\u003e\u003cbr\u003e3. Unauthorized access to TEE-protected data;\u003cbr\u003e\u003cbr\u003e4. Remote access to protected data (usually limited to the data that can be accessed only after a local app requests and is granted access, or that can be accessed only by a privileged process);\u003cbr\u003e\u003cbr\u003e5. Local permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS);\u003cbr\u003e\u003cbr\u003e6. Remote temporary DoS attacks (remote hang or reboot);\u003cbr\u003e\u003cbr\u003e7. Remote bypass of user interaction requirements (access to functions that usually require either user initiation or user permission);\u003cbr\u003e\u003cbr\u003e8. Local bypass of user interaction requirements for modifying security settings (such as Developer Options);\u003cbr\u003e\u003cbr\u003e9. Bypass of the security protection mechanism that separates the app data from other apps;\u003cbr\u003e\u003cbr\u003e10. Bypass of the security protection mechanism that separates users or user profiles from one another;\u003cbr\u003e\u003cbr\u003e11. Local bypass of user interaction requirements for installing an app package or an equivalent action;\u003cbr\u003e\u003cbr\u003e12. Lock screen bypass;\u003cbr\u003e\u003cbr\u003e13. Bypass of the device protection functions (such as the \"Find My Phone\" function);\u003cbr\u003e\u003cbr\u003e14. Bypass of the carrier's restrictions (such as SIM card lock);\u003cbr\u003e\u003cbr\u003e15. Bypass of the authentication mechanism to control OPPO smart devices;\u003cbr\u003e\u003cbr\u003e16. Local acquisition of private user data through the AI model. | **$2,900-$3,500** |\n| **Moderate** | 1. Remote code execution in a constrained process;\u003cbr\u003e\u003cbr\u003e2. Local code execution in an unprivileged process;\u003cbr\u003e\u003cbr\u003e3. Bypass of the mitigation technology in a privileged process or in the TCB, ICE, or TEE;\u003cbr\u003e\u003cbr\u003e4. Bypass of restrictions on a constrained process;\u003cbr\u003e\u003cbr\u003e5. Bypass of restrictions on privacy password;\u003cbr\u003e\u003cbr\u003e6. Remote access to unprotected data (usually referring to all the data that can be accessed by locally installed apps);\u003cbr\u003e\u003cbr\u003e7. Local access to protected data (usually limited to the data that can be accessed only after a locally installed app requests and is granted access, or that can be accessed only by a privileged process);\u003cbr\u003e\u003cbr\u003e8. Local bypass of user interaction requirements without authentication (access to functions that usually require either user initiation or user permission);\u003cbr\u003e\u003cbr\u003e9. Plain text leakage vulnerability caused by the incorrect encryption algorithm model or incorrect implementation of the encryption algorithm;\u003cbr\u003e\u003cbr\u003e10. Bypass of the protection function for restoring factory settings;\u003cbr\u003e\u003cbr\u003e11. Targeted blocking of access to emergency services. | **$230-$430** |\n| **Low** | 1. Local arbitrary code execution in a constrained process;\u003cbr\u003e\u003cbr\u003e2. Bypass of the mitigation technology in an unprivileged process. | **$20-$45** |\n\n---\n\n**Technical Abbreviations:**\n- **TEE:** Trusted Execution Environment\n- **TCB:** Trusted Computing Base \n- **ICE:** In-Circuit Emulator\n- **DoS:** Denial of Service\n\n\n# Special Notes of Mobile Devices Scoring Rules\n** Concepts Involved in Mobile Phone Security Vulnerabilities **\n- Remote: The attacker exploits vulnerabilities to launch an attack without installing the app concerned or without physical contact with the victim's device, such as by browsing web pages, reading SMS or MMS messages, receiving or sending emails, downloading files, or having wireless network communications (excluding communication with a distance of less than 10 cm).\n- Local: The attacker exploits vulnerabilities to launch an attack. This kind of attack needs relevant apps to be installed in the victim's system or the attacker needs physical contact with the victim's system and the communication distance must be less than 10 cm.\n- Constrained process: Such a process is subject to stricter permission restrictions than a normal app process, and runs in a strictly restricted domain such as SELinux or SEAndroid.\n- Normal app process: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application/process or built-in application/process without system-level permissions.\n- Privileged process: refers to an application or process running in the system_app of SELinux (or SEAndroid), such as a process running with system-level permissions or root permissions.\n- TCB: stands for Trusted Computing Base. It refers to all of a computer's protective devices, including hardware, firmware, software, and components that implement security policies. It ensures a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to parts of the kernel and drivers, or user services equivalent to the kernel, such as init and vold.\n- TEE: stands for Trusted Execution Environment. It co-exists with the Android system on a device. It is mainly used to provide the Android system with a running environment for security services such as trusted computing and storage.\n- ICE: stands for Independent Computing Environment. It refers to a function- and service-focused set of independent computing units, firmware and simple OS, such as a baseband modem.\n\n** Application for CVE IDs **\nl OPPO is the world's 100th CVE Numbering Authority (CNA). We can help security researchers who report vulnerabilities in OPPO products apply for CVE IDs.\nFor CVE application, you could send an application email to security@oppo.com. You need to list the following points in the email:\n- The name and Report ID of the vulnerability\n- The influence of the vulnerability\n- The type and the severity of the vulnerability\n- POC\n- The nickname and the email of the applicant\nOSRC Team will review their vulnerability reports in line with CVE requirements. If the review finds no problem, the OSRC will help the researchers apply for CVE IDs. \n\n** Repeated Vulnerability Reports **\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\n\n** Zero-Day Vulnerabilities **\n- We accepts zero-day (also known as 0-day) vulnerabilities found only in OPPO or realme products and services.\n\n** General Vulnerability Review Principles for Third-Party Products **\n- Server-side vulnerabilities: including but not limited to vulnerabilities in the components of Tomcat and Apache being used by OPPO or realme , OpenSSL, and third-party SDKs. For a reported vulnerability which becomes publicly known within one month following report submission, if OPPO or realme has already received the vulnerability from another channel, OPPO or realme will give a FAIL result to the vulnerability report. If OPPO or realme remains unaware of the vulnerability one month after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- Client-side vulnerabilities: including but not limited to Android-native vulnerabilities and common app vulnerabilities. For a reported vulnerability which becomes publicly known within three months following report submission, if OPPO or realme has already received the vulnerability from another channel, OPPO or realme will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability three months after it is made public and the vulnerability remains in OPPO's and realme's third-party products, OPPO or realme will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- For vulnerabilities resulting from the same source, in general only the first reporter will be rewarded and the vulnerabilities will be counted as one.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For different types of vulnerabilities in the same URL, only the reporter of the vulnerability that has the greatest impact will be rewarded.\n- Vulnerability reports should be as detailed and compliant as possible. The details of a reported vulnerability, its working principle and exploits, and fix recommendations affect the scoring of the vulnerability to some extent. For a reported vulnerability, the lack of PoC, exploit information, or analysis details will directly affect the scoring.\n- Reporting threats or intelligence already published online will be given no score.\n- The review results for a vulnerability are determined based on the level of difficulty in exploitation as well as the degree and scope of its impact.\n- Scanner results without proof of harm will be considered invalid.\n- If you use security testing as an excuse to exploit security intelligence to harm the interests of users, affect the normal operation of our services, publish information about vulnerabilities before they are fixed, or steal user data, you will receive no score. In addition, OPPO will reserve the right to take legal action.\n\n# Test Plan\n* Users can sign up for a free account through our website\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com)\n* OPPO generally do not provide sample devices for testing; researchers need to purchase the devices themselves.\n* We currently only accept files smaller than 20MB in the following formats: doc, docx, 7z, zip, gz, bz2, excel.\n* OPPO and realme employees (including both regular and outsourced employees) and their immediate family members cannot participate in this reward scheme.\n\n**Clause Interpretation**\nThe OSRC reserves the right to interpret all the above clauses.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as:\n* “X-HackerOne-Research: [H1 username]”\n\n# OPPO Security Disclosure Statement\n\nOPPO is committed to product security and user privacy protection. Our OSRC (OPPO Security Response Center) Vulnerability Disclosure Program provides a secure channel for researchers to report security issues.\n\n## Responsible Disclosure Policy\n\nWhen reporting vulnerabilities:\n- Allow reasonable time for investigation before public disclosure\n- Do not exploit discovered vulnerabilities or access sensitive data\n- Follow applicable laws and privacy regulations\n- Agree to OPPO's Privacy Policy and these Terms \u0026 Conditions\n\n## Terms \u0026 Conditions\n\n- Any inadvertent access to proprietary data must be declared in your report and not used, stored, or disclosed\n- Submissions grant OPPO a worldwide, permanent, royalty-free license to address vulnerabilities\n- Do not disclose vulnerabilities to third parties without prior written consent\n- OPPO will respond within 15 working days and provide progress updates\n\n## Important Notice\n\nTo protect users, OPPO will not discuss security issues before completing full investigations.\n\n**Report vulnerabilities at:** [https://security.oppo.com/en/responsibleDisclosure](https://security.oppo.com/en/responsibleDisclosure)\n\n---\n\n*By participating, you acknowledge understanding and acceptance of these policies.*\n\n## Prohibitions\n- OPPO and realme opposes and condemns all hacking activities that use vulnerability testing as an excuse to exploit security vulnerabilities to harm users' interests. These activities include but are not limited to stealing user information, hacking production systems, modifying and stealing relevant system information, and maliciously spreading vulnerabilities or data. For details, see the SRC Security Test Specifications. For the above-mentioned behaviors, OPPO will pursue legal support and hold relevant people accountable in accordance with law.\n\nYou can check more details of devices standard on : https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1554748210814394368\n\nThank you for helping keep OPPO and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"At OPPO, we believe in the power of collaboration to enhance security. That’s why we are excited to publicly collect business vulnerability reports through our H1 initiative. With our extensive testing resources and a generous reward program, we aim to encourage ethical hackers and security researchers from around the globe to contribute to the safety of our products and services.","platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"** Repeated Vulnerability Reports **\\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2026-03-04T02:38:30.981Z"},{"id":3765350,"new_policy":"OPPO’s commitment to global researcher collaboration significantly enhances product security. \nWe welcome hackers worldwide to submit security vulnerability reports related to OPPO services. Your contributions will help enhance the security of OPPO's business and products. \nOPPO program on H1 currently accept vulnerabilities in the following areas :\n\n**Web/App services**\nFor the scope of acceptance, please refer to:\n🔹 Google Document (detailed domain/package name scope): https://docs.google.com/spreadsheets/d/1K2knhissfw817g_wLNQYJLGIn--j9HKHYBXsdALrD8Y/edit?usp=sharing\n\n**Web Application Scoring Rules**\nWe have defined four levels for mobile phone security vulnerabilities based on the degree of their impact: Critical, High, Moderate, and Low.\n# Level\n# OPPO Vulnerability Severity and Bounty Table\n\n| Level | Example of Vulnerability and Impact | Bounty Range (USD) |\n|-------|-----------------------------------|-------------------|\n| **Critical** | **Including but not limited to:**\u003cbr\u003e\u003cbr\u003e1. Directly obtain permissions to servers that host important data and processes as well as other important data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions.\u003cbr\u003e\u003cbr\u003e2. Serious leakages of sensitive information, including but not limited to SQL injection in core databases (relating to funding, user identity, and transaction) and interface problems which allow individuals to obtain the identity information, order information, and bank card information of large numbers of key users.\u003cbr\u003e\u003cbr\u003e3. Serious logic design flaws and process flaws, including but not limited to interface problems allowing individuals to consume the money in any bank account, log in to any OPPO account, and change the password of any OPPO account. | **Extremely High:** 5000-11500\u003cbr\u003e**High:** 2900-4300 |\n| **High** | **Including but not limited to:**\u003cbr\u003e\u003cbr\u003e1. Directly obtain permissions to servers that host general data and processes as well as other general data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions.\u003cbr\u003e\u003cbr\u003e2. Leakages of sensitive information, including but limited to SQL injection in non-core databases, leakage of source code packages, reversible server application encryption or storage of passwords as plain text, hard coding, and GitHub sensitive information leakage (including but not limited to the leakage of key server accounts and their passwords).\u003cbr\u003e\u003cbr\u003e3. Unauthorized access to sensitive information, including but not limited to direct access to the backend by bypassing authentication, weak backend passwords, and Server-side Request Forgery (SSRF) enabling individuals to obtain large amounts of sensitive Intranet data.\u003cbr\u003e\u003cbr\u003e4. Unauthorized manipulation of sensitive data, including but not limited to modification of important information, manipulation of orders, and modification of important configurations through an unauthorized account.\u003cbr\u003e\u003cbr\u003e5. Other vulnerabilities that affect users on a large scale, including but not limited to Stored XSS on important pages that can cause automatic spread of and allow acquisition of authentication credentials (cookies). | **Extremely High:** 2900-3500\u003cbr\u003e**High:** 2900-4300 |\n| **Moderate** | **Including but not limited to:**\u003cbr\u003e\u003cbr\u003e1. Vulnerabilities that can affect users only through interaction, including but not limited to Stored XSS to general web pages and major Cross-site Request Forgery (CSRF) vulnerabilities. All vulnerability descriptions must provide the proof of the harm to other users.\u003cbr\u003e\u003cbr\u003e2. Ordinary unauthorized operations, including but not limited to bypassing restrictions to modify user information and perform user operations.\u003cbr\u003e\u003cbr\u003e3. Leakages of ordinary information, including but not limited to web path traversal, system path traversal, and plain-text password transmission over the HTTP when a HeyTap account is used for sign-in.\u003cbr\u003e\u003cbr\u003e4. Ordinary logic design flaws and process flaws, including but not limited to flaws in the verification code logic for important systems that cause the verification and relevant restrictions to be bypassed, leading to credential stuffing attacks.\u003cbr\u003e\u003cbr\u003e5. Unrestricted brute-force attacks on important account systems. | **Extremely High:** 230-430\u003cbr\u003e**High:** 150-300 |\n| **Low** | **Including but not limited to:**\u003cbr\u003e\u003cbr\u003e1. Vulnerabilities allowing individuals to access user identity information only in specific unpopular browser environments (for example, IE6). Such vulnerabilities include but are not limited to Reflected XSS (including Reflected DOM-based XSS) and Stored XSS in ordinary properties.\u003cbr\u003e\u003cbr\u003e2. Minor information leakages, including but not limited to leakage of path information, SVN information, PHP information, exceptions information and configuration settings, log printing and plain-text password transmission over HTTP when a non-HeyTap account is used for sign-in.\u003cbr\u003e\u003cbr\u003e3. Unauthorized access, including but not limited to client-side active defense bypass and OPPO URL redirection vulnerabilities. (Note that redirecting an OPPO URL to a normal website is not considered a vulnerability. If PoC for URL redirection shows that an OPPO URL can be redirected to any domain doesn't belong to OPPO without any prompts displayed, then there is a vulnerability. Otherwise no vulnerability exists.\u003cbr\u003e\u003cbr\u003e4. Vulnerabilities that are difficult to exploit but may cause security risks. Such vulnerabilities include but are not limited to Self-XSS that may cause the spread and exploitation of XSS, JSON Hijacking that has obtained sensitive information, clickjacking on input web pages containing sensitive information (a valid exploit must be provided in the vulnerability details), CSRF attacks involving unimportant sensitive information, and remote code execution through man-in-the-middle (MITM) attacks (valid PoC must be provided in the vulnerability details).\u003cbr\u003e\u003cbr\u003e5. Other vulnerabilities that can only cause slight impact. Such vulnerabilities include but are not limited to inappropriate configuration settings for system/service maintenance and operations and vulnerabilities in component-level permissions.\u003cbr\u003e\u003cbr\u003e6. Verification code message/email bombing, which means that a single IP or user keeps sending more than 50 verification code messages/emails to the same mobile number/email box within 30 minutes. (Note: Reported problems wherein the same interface is used to send one verification code message/email to an unlimited number of mobile numbers or email boxes will be ignored.) | **Extremely High:** 20-45\u003cbr\u003e**High:** 15-40 |\n| **NSI** | **Including but not limited to:**\u003cbr\u003e\u003cbr\u003e1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, directory traversal that has caused the leakage of meaningless or non-sensitive information, and application compatibility issues.\u003cbr\u003e\u003cbr\u003e2. Vulnerabilities that cannot be exploited, including but not limited to a scanner's meaningless vulnerability reports (such as a report on a low web server version), meaningless XSS (such as Self-XSS attacks), XSS that uses social engineering or phishing, POST based XSS, JSON hijacking involving no sensitive information, leaking of meaningless exception information, leaking of IP addresses or domain names in the intranet, meaningless clickjacking, HTTP request smuggling, obtaining the user's cookies by exploiting unconfigured CORS during user interaction, and brute-force attacks that cannot be further exploited.\u003cbr\u003e\u003cbr\u003e3. CSRF attacks involving no sensitive information, including but not limited to adding items to or deleting items from an online shopping cart, as well as executing actions on an online forum such as logging out of an account, giving likes, following others, publishing posts, making comments, and sending flowers.\u003cbr\u003e\u003cbr\u003e4. Traversals and leakages of non-sensitive information. Such information includes but is not limited to middleware version and non-sensitive information.\u003cbr\u003e\u003cbr\u003e5. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses.\u003cbr\u003e\u003cbr\u003e6. Cracking of 6-digit verification codes by distributed equipment.\u003cbr\u003e\u003cbr\u003e7. Other vulnerabilities with extremely low risks. | No bounty |\n\n---\n\n**Note:** NSI = Not Security Issue (vulnerabilities that do not qualify for bounty rewards)\n\n** Mobile App Security Vulnerabilities **\nThis type of security vulnerability mainly refers to those in mobile devices powered by ColorOS or realme UI. It includes security vulnerabilities in ColorOS or realme UIbuilt-ins and security vulnerabilities in OPPO's and realme's proprietary apps available in the App Market.\n\n# Vulnerability Levels and Examples\n# OPPO Mobile Security Vulnerability Severity and Reward Table\n\n| Level | Example of Vulnerability and Impact | Reward (USD) |\n|-------|-----------------------------------|--------------|\n| **Critical** | 1. Arbitrary code execution in the TEE;\u003cbr\u003e\u003cbr\u003e2. Unauthorized access to TEE-protected data (only limited to fingerprints, face data, payment information, and other data that can cause property loss to the victim);\u003cbr\u003e\u003cbr\u003e3. Remote code execution in a privileged process or the TCB or ICE;\u003cbr\u003e\u003cbr\u003e4. Remote permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS);\u003cbr\u003e\u003cbr\u003e5. Remote bypass of interaction requirements for installing an app package or an equivalent action;\u003cbr\u003e\u003cbr\u003e6. Bypass of secure boot mechanism;\u003cbr\u003e\u003cbr\u003e7. Upgrading to firmware or image not signed by OPPO;\u003cbr\u003e\u003cbr\u003e8. Vulnerabilities allowing individuals to extract or infer private user information from the AI model file, such as images and sounds. | **$5,000-$11,500** |\n| **High** | 1. Remote code execution in an unprivileged process;\u003cbr\u003e\u003cbr\u003e2. Local arbitrary code execution in a privileged process, the TCB or ICE;\u003cbr\u003e\u003cbr\u003e3. Unauthorized access to TEE-protected data;\u003cbr\u003e\u003cbr\u003e4. Remote access to protected data (usually limited to the data that can be accessed only after a local app requests and is granted access, or that can be accessed only by a privileged process);\u003cbr\u003e\u003cbr\u003e5. Local permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS);\u003cbr\u003e\u003cbr\u003e6. Remote temporary DoS attacks (remote hang or reboot);\u003cbr\u003e\u003cbr\u003e7. Remote bypass of user interaction requirements (access to functions that usually require either user initiation or user permission);\u003cbr\u003e\u003cbr\u003e8. Local bypass of user interaction requirements for modifying security settings (such as Developer Options);\u003cbr\u003e\u003cbr\u003e9. Bypass of the security protection mechanism that separates the app data from other apps;\u003cbr\u003e\u003cbr\u003e10. Bypass of the security protection mechanism that separates users or user profiles from one another;\u003cbr\u003e\u003cbr\u003e11. Local bypass of user interaction requirements for installing an app package or an equivalent action;\u003cbr\u003e\u003cbr\u003e12. Lock screen bypass;\u003cbr\u003e\u003cbr\u003e13. Bypass of the device protection functions (such as the \"Find My Phone\" function);\u003cbr\u003e\u003cbr\u003e14. Bypass of the carrier's restrictions (such as SIM card lock);\u003cbr\u003e\u003cbr\u003e15. Bypass of the authentication mechanism to control OPPO smart devices;\u003cbr\u003e\u003cbr\u003e16. Local acquisition of private user data through the AI model. | **$2,900-$3,500** |\n| **Moderate** | 1. Remote code execution in a constrained process;\u003cbr\u003e\u003cbr\u003e2. Local code execution in an unprivileged process;\u003cbr\u003e\u003cbr\u003e3. Bypass of the mitigation technology in a privileged process or in the TCB, ICE, or TEE;\u003cbr\u003e\u003cbr\u003e4. Bypass of restrictions on a constrained process;\u003cbr\u003e\u003cbr\u003e5. Bypass of restrictions on privacy password;\u003cbr\u003e\u003cbr\u003e6. Remote access to unprotected data (usually referring to all the data that can be accessed by locally installed apps);\u003cbr\u003e\u003cbr\u003e7. Local access to protected data (usually limited to the data that can be accessed only after a locally installed app requests and is granted access, or that can be accessed only by a privileged process);\u003cbr\u003e\u003cbr\u003e8. Local bypass of user interaction requirements without authentication (access to functions that usually require either user initiation or user permission);\u003cbr\u003e\u003cbr\u003e9. Plain text leakage vulnerability caused by the incorrect encryption algorithm model or incorrect implementation of the encryption algorithm;\u003cbr\u003e\u003cbr\u003e10. Bypass of the protection function for restoring factory settings;\u003cbr\u003e\u003cbr\u003e11. Targeted blocking of access to emergency services. | **$230-$430** |\n| **Low** | 1. Local arbitrary code execution in a constrained process;\u003cbr\u003e\u003cbr\u003e2. Bypass of the mitigation technology in an unprivileged process. | **$20-$45** |\n\n---\n\n**Technical Abbreviations:**\n- **TEE:** Trusted Execution Environment\n- **TCB:** Trusted Computing Base \n- **ICE:** In-Circuit Emulator\n- **DoS:** Denial of Service\n\n\n# Special Notes of Mobile Devices Scoring Rules\n** Concepts Involved in Mobile Phone Security Vulnerabilities **\n- Remote: The attacker exploits vulnerabilities to launch an attack without installing the app concerned or without physical contact with the victim's device, such as by browsing web pages, reading SMS or MMS messages, receiving or sending emails, downloading files, or having wireless network communications (excluding communication with a distance of less than 10 cm).\n- Local: The attacker exploits vulnerabilities to launch an attack. This kind of attack needs relevant apps to be installed in the victim's system or the attacker needs physical contact with the victim's system and the communication distance must be less than 10 cm.\n- Constrained process: Such a process is subject to stricter permission restrictions than a normal app process, and runs in a strictly restricted domain such as SELinux or SEAndroid.\n- Normal app process: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application/process or built-in application/process without system-level permissions.\n- Privileged process: refers to an application or process running in the system_app of SELinux (or SEAndroid), such as a process running with system-level permissions or root permissions.\n- TCB: stands for Trusted Computing Base. It refers to all of a computer's protective devices, including hardware, firmware, software, and components that implement security policies. It ensures a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to parts of the kernel and drivers, or user services equivalent to the kernel, such as init and vold.\n- TEE: stands for Trusted Execution Environment. It co-exists with the Android system on a device. It is mainly used to provide the Android system with a running environment for security services such as trusted computing and storage.\n- ICE: stands for Independent Computing Environment. It refers to a function- and service-focused set of independent computing units, firmware and simple OS, such as a baseband modem.\n\n** Application for CVE IDs **\nl OPPO is the world's 100th CVE Numbering Authority (CNA). We can help security researchers who report vulnerabilities in OPPO products apply for CVE IDs.\nFor CVE application, you could send an application email to security@oppo.com. You need to list the following points in the email:\n- The name and Report ID of the vulnerability\n- The influence of the vulnerability\n- The type and the severity of the vulnerability\n- POC\n- The nickname and the email of the applicant\nOSRC Team will review their vulnerability reports in line with CVE requirements. If the review finds no problem, the OSRC will help the researchers apply for CVE IDs. \n\n** Repeated Vulnerability Reports **\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\n\n** Zero-Day Vulnerabilities **\n- We accepts zero-day (also known as 0-day) vulnerabilities found only in OPPO or realme products and services.\n\n** General Vulnerability Review Principles for Third-Party Products **\n- Server-side vulnerabilities: including but not limited to vulnerabilities in the components of Tomcat and Apache being used by OPPO or realme , OpenSSL, and third-party SDKs. For a reported vulnerability which becomes publicly known within one month following report submission, if OPPO or realme has already received the vulnerability from another channel, OPPO or realme will give a FAIL result to the vulnerability report. If OPPO or realme remains unaware of the vulnerability one month after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- Client-side vulnerabilities: including but not limited to Android-native vulnerabilities and common app vulnerabilities. For a reported vulnerability which becomes publicly known within three months following report submission, if OPPO or realme has already received the vulnerability from another channel, OPPO or realme will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability three months after it is made public and the vulnerability remains in OPPO's and realme's third-party products, OPPO or realme will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- For vulnerabilities resulting from the same source, in general only the first reporter will be rewarded and the vulnerabilities will be counted as one.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For different types of vulnerabilities in the same URL, only the reporter of the vulnerability that has the greatest impact will be rewarded.\n- Vulnerability reports should be as detailed and compliant as possible. The details of a reported vulnerability, its working principle and exploits, and fix recommendations affect the scoring of the vulnerability to some extent. For a reported vulnerability, the lack of PoC, exploit information, or analysis details will directly affect the scoring.\n- Reporting threats or intelligence already published online will be given no score.\n- The review results for a vulnerability are determined based on the level of difficulty in exploitation as well as the degree and scope of its impact.\n- Scanner results without proof of harm will be considered invalid.\n- If you use security testing as an excuse to exploit security intelligence to harm the interests of users, affect the normal operation of our services, publish information about vulnerabilities before they are fixed, or steal user data, you will receive no score. In addition, OPPO will reserve the right to take legal action.\n\n# Test Plan\n* Users can sign up for a free account through our website\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com)\n* OPPO generally do not provide sample devices for testing; researchers need to purchase the devices themselves.\n* We currently only accept files smaller than 20MB in the following formats: doc, docx, 7z, zip, gz, bz2, excel.\n* OPPO and realme employees (including both regular and outsourced employees) and their immediate family members cannot participate in this reward scheme.\n\n**Clause Interpretation**\nThe OSRC reserves the right to interpret all the above clauses.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as:\n* “X-HackerOne-Research: [H1 username]”\n\n# OPPO Security Disclosure Statement\n\nOPPO is committed to product security and user privacy protection. Our OSRC (OPPO Security Response Center) Vulnerability Disclosure Program provides a secure channel for researchers to report security issues.\n\n## Responsible Disclosure Policy\n\nWhen reporting vulnerabilities:\n- Allow reasonable time for investigation before public disclosure\n- Do not exploit discovered vulnerabilities or access sensitive data\n- Follow applicable laws and privacy regulations\n- Agree to OPPO's Privacy Policy and these Terms \u0026 Conditions\n\n## Terms \u0026 Conditions\n\n- Any inadvertent access to proprietary data must be declared in your report and not used, stored, or disclosed\n- Submissions grant OPPO a worldwide, permanent, royalty-free license to address vulnerabilities\n- Do not disclose vulnerabilities to third parties without prior written consent\n- OPPO will respond within 15 working days and provide progress updates\n\n## Important Notice\n\nTo protect users, OPPO will not discuss security issues before completing full investigations.\n\n**Report vulnerabilities at:** [https://security.oppo.com/en/responsibleDisclosure](https://security.oppo.com/en/responsibleDisclosure)\n\n---\n\n*By participating, you acknowledge understanding and acceptance of these policies.*\n\n## Prohibitions\n- OPPO and realme opposes and condemns all hacking activities that use vulnerability testing as an excuse to exploit security vulnerabilities to harm users' interests. These activities include but are not limited to stealing user information, hacking production systems, modifying and stealing relevant system information, and maliciously spreading vulnerabilities or data. For details, see the SRC Security Test Specifications. For the above-mentioned behaviors, OPPO will pursue legal support and hold relevant people accountable in accordance with law.\n\nYou can check more details of devices standard on : https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1554748210814394368\n\nThank you for helping keep OPPO and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"At OPPO, we believe in the power of collaboration to enhance security. That’s why we are excited to publicly collect business vulnerability reports through our H1 initiative. With our extensive testing resources and a generous reward program, we aim to encourage ethical hackers and security researchers from around the globe to contribute to the safety of our products and services.","platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"** Repeated Vulnerability Reports **\\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-30T10:25:11.743Z"},{"id":3764953,"new_policy":"OPPO’s commitment to global researcher collaboration significantly enhances product security. \nWe welcome hackers worldwide to submit security vulnerability reports related to OPPO services. Your contributions will help enhance the security of OPPO's business and products. \nOPPO program on H1 currently accept vulnerabilities in the following areas :\n\n**Web/App services**\nFor the scope of acceptance, please refer to:\n🔹 Google Document (detailed domain/package name scope): https://docs.google.com/spreadsheets/d/1K2knhissfw817g_wLNQYJLGIn--j9HKHYBXsdALrD8Y/edit?usp=sharing\n\n**Web Application Scoring Rules**\nWe have defined four levels for mobile phone security vulnerabilities based on the degree of their impact: Critical, High, Moderate, and Low.\n# Level\n\n| Severity | Example of Vulnerability and Impact |\n|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Critical | Including but not limited to: |\n| | 1. Directly obtain permissions to servers that host important data and processes as well as other important data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions.|\n| | 2. Serious leakages of sensitive information, including but not limited to SQL injection in core databases (relating to funding, user identity, and transaction) and interface problems which allow individuals to obtain the identity information, order information, and bank card information of large numbers of key users. |\n| | 3. Serious logic design flaws and process flaws, including but not limited to interface problems allowing individuals to consume the money in any bank account, log in to any OPPO account, and change the password of any OPPO account. |\n| High | Including but not limited to: |\n| | 1. Directly obtain permissions to servers that host general data and processes as well as other general data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions.|\n| | 2. Leakages of sensitive information, including but limited to SQL injection in non-core databases, leakage of source code packages, reversible server application encryption or storage of passwords as plain text, hard coding, and GitHub sensitive information leakage (including but not limited to the leakage of key server accounts and their passwords). |\n| | 3. Unauthorized access to sensitive information, including but not limited to direct access to the backend by bypassing authentication, weak backend passwords, and Server-side Request Forgery (SSRF) enabling individuals to obtain large amounts of sensitive Intranet data. |\n| | 4. Unauthorized manipulation of sensitive data, including but not limited to modification of important information, manipulation of orders, and modification of important configurations through an unauthorized account. |\n| | 5. Other vulnerabilities that affect users on a large scale, including but not limited to Stored XSS on important pages that can cause automatic spread of and allow acquisition of authentication credentials (cookies). |\n| Moderate | Including but not limited to: |\n| | 1. Vulnerabilities that can affect users only through interaction, including but not limited to Stored XSS to general web pages and major Cross-site Request Forgery (CSRF) vulnerabilities. All vulnerability descriptions must provide the proof of the harm to other users. |\n| | 2. Ordinary unauthorized operations, including but not limited to bypassing restrictions to modify user information and perform user operations. |\n| | 3. Leakages of ordinary information, including but not limited to web path traversal, system path traversal, and plain-text password transmission over the HTTP when a HeyTap account is used for sign-in. |\n| | 4. Ordinary logic design flaws and process flaws, including but not limited to flaws in the verification code logic for important systems that cause the verification and relevant restrictions to be bypassed, leading to credential stuffing attacks. |\n| | 5. Unrestricted brute-force attacks on important account systems. |\n| Low | Including but not limited to: |\n| | 1. Vulnerabilities allowing individuals to access user identity information only in specific unpopular browser environments (for example, IE6). Such vulnerabilities include but are not limited to Reflected XSS (including Reflected DOM-based XSS) and Stored XSS in ordinary properties. |\n| | 2. Minor information leakages, including but not limited to leakage of path information, SVN information, PHP information, exceptions information and configuration settings, log printing and plain-text password transmission over HTTP when a non-HeyTap account is used for sign-in. |\n| | 3. Unauthorized access, including but not limited to client-side active defense bypass and OPPO URL redirection vulnerabilities. (Note that redirecting an OPPO URL to a normal website is not considered a vulnerability. If PoC for URL redirection shows that an OPPO URL can be redirected to any domain that doesn't belong to OPPO without any prompts displayed, then there is a vulnerability. Otherwise no vulnerability exists.) |\n| | 4. Vulnerabilities that are difficult to exploit but may cause security risks. Such vulnerabilities include but are not limited to Self-XSS that may cause the spread and exploitation of XSS, JSON Hijacking that has obtained sensitive information, clickjacking on input web pages containing sensitive information (a valid exploit must be provided in the vulnerability details), CSRF attacks involving unimportant sensitive information, and remote code execution through man-in-the-middle (MITM) attacks (valid PoC must be provided in the vulnerability details). |\n| | 5. Other vulnerabilities that can only cause slight impact. Such vulnerabilities include but are not limited to inappropriate configuration settings for system/service maintenance and operations and vulnerabilities in component-level permissions. |\n| | 6. Verification code message/email bombing, which means that a single IP or user keeps sending more than 50 verification code messages/emails to the same mobile number/email box within 30 minutes. (Note: Reported problems wherein the same interface is used to send one verification code message/email to an unlimited number of mobile numbers or email boxes will be ignored.) |\n| NSI | Including but not limited to: |\n| | 1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, directory traversal that has caused the leakage of meaningless or non-sensitive information, and application compatibility issues. |\n| | 2. Vulnerabilities that cannot be exploited, including but not limited to a scanner's meaningless vulnerability reports (such as a report on a low web server version), meaningless XSS (such as Self-XSS attacks), XSS that uses social engineering or phishing, POST based XSS, JSON hijacking involving no sensitive information, leaking of meaningless exception information, leaking of IP addresses or domain names in the intranet, meaningless clickjacking, HTTP request smuggling, obtaining the user's cookies by exploiting unconfigured CORS during user interaction, and brute-force attacks that cannot be further exploited. |\n| | 3. CSRF attacks involving no sensitive information, including but not limited to adding items to or deleting items from an online shopping cart, as well as executing actions on an online forum such as logging out of an account, giving likes, following others, publishing posts, making comments, and sending flowers. |\n| | 4. Traversals and leakages of non-sensitive information. Such information includes but is not limited to middleware version and non-sensitive information. |\n| | 5. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses. |\n| | 6. Cracking of 6-digit verification codes by distributed equipment. |\n| | 7. Other vulnerabilities with extremely low risks. |\n\n\n** Mobile App Security Vulnerabilities **\nThis type of security vulnerability mainly refers to those in mobile devices powered by ColorOS or realme UI. It includes security vulnerabilities in ColorOS or realme UIbuilt-ins and security vulnerabilities in OPPO's and realme's proprietary apps available in the App Market.\n\n# Vulnerability Levels and Examples\n| Level | Example of Vulnerability and Impact |\n|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Critical | 1. Arbitrary code execution in the TEE; \u003cbr\u003e 2. Unauthorized access to TEE-protected data (only limited to fingerprints, face data, payment information, and other data that can cause property loss to the victim); \u003cbr\u003e 3. Remote code execution in a privileged process or the TCB or ICE; \u003cbr\u003e 4. Remote permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS); \u003cbr\u003e 5. Remote bypass of interaction requirements for installing an app package or an equivalent action; \u003cbr\u003e 6. Bypass of secure boot mechanism; \u003cbr\u003e 7. Upgrading to firmware or image not signed by OPPO; \u003cbr\u003e 8. Vulnerabilities allowing individuals to extract or infer private user information from the AI model file, such as images and sounds. |\n| High | 1. Remote code execution in an unprivileged process; \u003cbr\u003e 2. Local arbitrary code execution in a privileged process, the TCB or ICE; \u003cbr\u003e 3. Unauthorized access to TEE-protected data; \u003cbr\u003e 4. Remote access to protected data (usually limited to the data that can be accessed only after a local app requests and is granted access, or that can be accessed only by a privileged process); \u003cbr\u003e 5. Local permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS); \u003cbr\u003e 6. Remote temporary DoS attacks (remote hang or reboot); \u003cbr\u003e 7. Remote bypass of user interaction requirements (access to functions that usually require either user initiation or user permission); \u003cbr\u003e 8. Local bypass of user interaction requirements for modifying security settings (such as Developer Options); \u003cbr\u003e 9. Bypass of the security protection mechanism that separates the app data from other apps; \u003cbr\u003e 10. Bypass of the security protection mechanism that separates users or user profiles from one another; \u003cbr\u003e 11. Local bypass of user interaction requirements for installing an app package or an equivalent action; \u003cbr\u003e 12. Lock screen bypass; \u003cbr\u003e 13. Bypass of the device protection functions (such as the \"Find My Phone\" function); \u003cbr\u003e 14. Bypass of the carrier's restrictions (such as SIM card lock); \u003cbr\u003e 15. Bypass of the authentication mechanism to control OPPO smart devices; \u003cbr\u003e 16. Local acquisition of private user data through the AI model. |\n| Moderate | 1. Remote code execution in a constrained process; \u003cbr\u003e 2. Local code execution in an unprivileged process; \u003cbr\u003e 3. Bypass of the mitigation technology in a privileged process or in the TCB, ICE, or TEE; \u003cbr\u003e 4. Bypass of restrictions on a constrained process; \u003cbr\u003e 5. Bypass of restrictions on privacy password; \u003cbr\u003e 6. Remote access to unprotected data (usually referring to all the data that can be accessed by locally installed apps); \u003cbr\u003e 7. Local access to protected data (usually limited to the data that can be accessed only after a locally installed app requests and is granted access, or that can be accessed only by a privileged process); \u003cbr\u003e 8. Local bypass of user interaction requirements without authentication (access to functions that usually require either user initiation or user permission); \u003cbr\u003e 9. Plain text leakage vulnerability caused by the incorrect encryption algorithm model or incorrect implementation of the encryption algorithm; \u003cbr\u003e 10. Bypass of the protection function for restoring factory settings; \u003cbr\u003e 11. Targeted blocking of access to emergency services. |\n| Low | 1. Local arbitrary code execution in a constrained process; \u003cbr\u003e 2. Bypass of the mitigation technology in an unprivileged process. |\n\n# Special Notes of Mobile Devices Scoring Rules\n** Concepts Involved in Mobile Phone Security Vulnerabilities **\n- Remote: The attacker exploits vulnerabilities to launch an attack without installing the app concerned or without physical contact with the victim's device, such as by browsing web pages, reading SMS or MMS messages, receiving or sending emails, downloading files, or having wireless network communications (excluding communication with a distance of less than 10 cm).\n- Local: The attacker exploits vulnerabilities to launch an attack. This kind of attack needs relevant apps to be installed in the victim's system or the attacker needs physical contact with the victim's system and the communication distance must be less than 10 cm.\n- Constrained process: Such a process is subject to stricter permission restrictions than a normal app process, and runs in a strictly restricted domain such as SELinux or SEAndroid.\n- Normal app process: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application/process or built-in application/process without system-level permissions.\n- Privileged process: refers to an application or process running in the system_app of SELinux (or SEAndroid), such as a process running with system-level permissions or root permissions.\n- TCB: stands for Trusted Computing Base. It refers to all of a computer's protective devices, including hardware, firmware, software, and components that implement security policies. It ensures a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to parts of the kernel and drivers, or user services equivalent to the kernel, such as init and vold.\n- TEE: stands for Trusted Execution Environment. It co-exists with the Android system on a device. It is mainly used to provide the Android system with a running environment for security services such as trusted computing and storage.\n- ICE: stands for Independent Computing Environment. It refers to a function- and service-focused set of independent computing units, firmware and simple OS, such as a baseband modem.\n\n** Application for CVE IDs **\nl OPPO is the world's 100th CVE Numbering Authority (CNA). We can help security researchers who report vulnerabilities in OPPO products apply for CVE IDs.\nFor CVE application, you could send an application email to security@oppo.com. You need to list the following points in the email:\n- The name and Report ID of the vulnerability\n- The influence of the vulnerability\n- The type and the severity of the vulnerability\n- POC\n- The nickname and the email of the applicant\nOSRC Team will review their vulnerability reports in line with CVE requirements. If the review finds no problem, the OSRC will help the researchers apply for CVE IDs. \n\n** Repeated Vulnerability Reports **\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\n\n** Zero-Day Vulnerabilities **\n- We accepts zero-day (also known as 0-day) vulnerabilities found only in OPPO or realme products and services.\n\n** General Vulnerability Review Principles for Third-Party Products **\n- Server-side vulnerabilities: including but not limited to vulnerabilities in the components of Tomcat and Apache being used by OPPO or realme , OpenSSL, and third-party SDKs. For a reported vulnerability which becomes publicly known within one month following report submission, if OPPO or realme has already received the vulnerability from another channel, OPPO or realme will give a FAIL result to the vulnerability report. If OPPO or realme remains unaware of the vulnerability one month after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- Client-side vulnerabilities: including but not limited to Android-native vulnerabilities and common app vulnerabilities. For a reported vulnerability which becomes publicly known within three months following report submission, if OPPO or realme has already received the vulnerability from another channel, OPPO or realme will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability three months after it is made public and the vulnerability remains in OPPO's and realme's third-party products, OPPO or realme will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- For vulnerabilities resulting from the same source, in general only the first reporter will be rewarded and the vulnerabilities will be counted as one.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For different types of vulnerabilities in the same URL, only the reporter of the vulnerability that has the greatest impact will be rewarded.\n- Vulnerability reports should be as detailed and compliant as possible. The details of a reported vulnerability, its working principle and exploits, and fix recommendations affect the scoring of the vulnerability to some extent. For a reported vulnerability, the lack of PoC, exploit information, or analysis details will directly affect the scoring.\n- Reporting threats or intelligence already published online will be given no score.\n- The review results for a vulnerability are determined based on the level of difficulty in exploitation as well as the degree and scope of its impact.\n- Scanner results without proof of harm will be considered invalid.\n- If you use security testing as an excuse to exploit security intelligence to harm the interests of users, affect the normal operation of our services, publish information about vulnerabilities before they are fixed, or steal user data, you will receive no score. In addition, OPPO will reserve the right to take legal action.\n\n# Test Plan\n* Users can sign up for a free account through our website\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com)\n* OPPO generally do not provide sample devices for testing; researchers need to purchase the devices themselves.\n* We currently only accept files smaller than 20MB in the following formats: doc, docx, 7z, zip, gz, bz2, excel.\n* OPPO and realme employees (including both regular and outsourced employees) and their immediate family members cannot participate in this reward scheme.\n\n**Clause Interpretation**\nThe OSRC reserves the right to interpret all the above clauses.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as:\n* “X-HackerOne-Research: [H1 username]”\n\n#Prohibitions\n- OPPO and realme opposes and condemns all hacking activities that use vulnerability testing as an excuse to exploit security vulnerabilities to harm users' interests. These activities include but are not limited to stealing user information, hacking production systems, modifying and stealing relevant system information, and maliciously spreading vulnerabilities or data. For details, see the SRC Security Test Specifications. For the above-mentioned behaviors, OPPO will pursue legal support and hold relevant people accountable in accordance with law.\n\nYou can check more details of devices standard on : https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1554748210814394368\n\nThank you for helping keep OPPO and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"At OPPO, we believe in the power of collaboration to enhance security. That’s why we are excited to publicly collect business vulnerability reports through our H1 initiative. With our extensive testing resources and a generous reward program, we aim to encourage ethical hackers and security researchers from around the globe to contribute to the safety of our products and services.","platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"** Repeated Vulnerability Reports **\\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-10-22T03:24:04.087Z"},{"id":3760536,"new_policy":"OPPO’s commitment to global researcher collaboration significantly enhances product security. \nWe welcome hackers worldwide to submit security vulnerability reports related to OPPO services. Your contributions will help enhance the security of OPPO's business and products. \nOPPO program on H1 currently accept vulnerabilities in the following areas :\n\n**Web/App services**\nFor the scope of acceptance, please refer to:\n🔹 Google Document (detailed domain/package name scope): https://docs.google.com/spreadsheets/d/1K2knhissfw817g_wLNQYJLGIn--j9HKHYBXsdALrD8Y/edit?usp=sharing\n\n**Web Application Scoring Rules**\nWe have defined four levels for mobile phone security vulnerabilities based on the degree of their impact: Critical, High, Moderate, and Low.\n# Level\n\n| Severity | Example of Vulnerability and Impact |\n|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Critical | Including but not limited to: |\n| | 1. Directly obtain permissions to servers that host important data and processes as well as other important data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions.|\n| | 2. Serious leakages of sensitive information, including but not limited to SQL injection in core databases (relating to funding, user identity, and transaction) and interface problems which allow individuals to obtain the identity information, order information, and bank card information of large numbers of key users. |\n| | 3. Serious logic design flaws and process flaws, including but not limited to interface problems allowing individuals to consume the money in any bank account, log in to any OPPO account, and change the password of any OPPO account. |\n| High | Including but not limited to: |\n| | 1. Directly obtain permissions to servers that host general data and processes as well as other general data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions.|\n| | 2. Leakages of sensitive information, including but limited to SQL injection in non-core databases, leakage of source code packages, reversible server application encryption or storage of passwords as plain text, hard coding, and GitHub sensitive information leakage (including but not limited to the leakage of key server accounts and their passwords). |\n| | 3. Unauthorized access to sensitive information, including but not limited to direct access to the backend by bypassing authentication, weak backend passwords, and Server-side Request Forgery (SSRF) enabling individuals to obtain large amounts of sensitive Intranet data. |\n| | 4. Unauthorized manipulation of sensitive data, including but not limited to modification of important information, manipulation of orders, and modification of important configurations through an unauthorized account. |\n| | 5. Other vulnerabilities that affect users on a large scale, including but not limited to Stored XSS on important pages that can cause automatic spread of and allow acquisition of authentication credentials (cookies). |\n| Moderate | Including but not limited to: |\n| | 1. Vulnerabilities that can affect users only through interaction, including but not limited to Stored XSS to general web pages and major Cross-site Request Forgery (CSRF) vulnerabilities. All vulnerability descriptions must provide the proof of the harm to other users. |\n| | 2. Ordinary unauthorized operations, including but not limited to bypassing restrictions to modify user information and perform user operations. |\n| | 3. Leakages of ordinary information, including but not limited to web path traversal, system path traversal, and plain-text password transmission over the HTTP when a HeyTap account is used for sign-in. |\n| | 4. Ordinary logic design flaws and process flaws, including but not limited to flaws in the verification code logic for important systems that cause the verification and relevant restrictions to be bypassed, leading to credential stuffing attacks. |\n| | 5. Unrestricted brute-force attacks on important account systems. |\n| Low | Including but not limited to: |\n| | 1. Vulnerabilities allowing individuals to access user identity information only in specific unpopular browser environments (for example, IE6). Such vulnerabilities include but are not limited to Reflected XSS (including Reflected DOM-based XSS) and Stored XSS in ordinary properties. |\n| | 2. Minor information leakages, including but not limited to leakage of path information, SVN information, PHP information, exceptions information and configuration settings, log printing and plain-text password transmission over HTTP when a non-HeyTap account is used for sign-in. |\n| | 3. Unauthorized access, including but not limited to client-side active defense bypass and OPPO URL redirection vulnerabilities. (Note that redirecting an OPPO URL to a normal website is not considered a vulnerability. If PoC for URL redirection shows that an OPPO URL can be redirected to any domain that doesn't belong to OPPO without any prompts displayed, then there is a vulnerability. Otherwise no vulnerability exists.) |\n| | 4. Vulnerabilities that are difficult to exploit but may cause security risks. Such vulnerabilities include but are not limited to Self-XSS that may cause the spread and exploitation of XSS, JSON Hijacking that has obtained sensitive information, clickjacking on input web pages containing sensitive information (a valid exploit must be provided in the vulnerability details), CSRF attacks involving unimportant sensitive information, and remote code execution through man-in-the-middle (MITM) attacks (valid PoC must be provided in the vulnerability details). |\n| | 5. Other vulnerabilities that can only cause slight impact. Such vulnerabilities include but are not limited to inappropriate configuration settings for system/service maintenance and operations and vulnerabilities in component-level permissions. |\n| | 6. Verification code message/email bombing, which means that a single IP or user keeps sending more than 50 verification code messages/emails to the same mobile number/email box within 30 minutes. (Note: Reported problems wherein the same interface is used to send one verification code message/email to an unlimited number of mobile numbers or email boxes will be ignored.) |\n| NSI | Including but not limited to: |\n| | 1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, directory traversal that has caused the leakage of meaningless or non-sensitive information, and application compatibility issues. |\n| | 2. Vulnerabilities that cannot be exploited, including but not limited to a scanner's meaningless vulnerability reports (such as a report on a low web server version), meaningless XSS (such as Self-XSS attacks), XSS that uses social engineering or phishing, POST based XSS, JSON hijacking involving no sensitive information, leaking of meaningless exception information, leaking of IP addresses or domain names in the intranet, meaningless clickjacking, HTTP request smuggling, obtaining the user's cookies by exploiting unconfigured CORS during user interaction, and brute-force attacks that cannot be further exploited. |\n| | 3. CSRF attacks involving no sensitive information, including but not limited to adding items to or deleting items from an online shopping cart, as well as executing actions on an online forum such as logging out of an account, giving likes, following others, publishing posts, making comments, and sending flowers. |\n| | 4. Traversals and leakages of non-sensitive information. Such information includes but is not limited to middleware version and non-sensitive information. |\n| | 5. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses. |\n| | 6. Cracking of 6-digit verification codes by distributed equipment. |\n| | 7. Other vulnerabilities with extremely low risks. |\n\n\n** Mobile App Security Vulnerabilities **\nThis type of security vulnerability mainly refers to those in mobile devices powered by ColorOS. It includes security vulnerabilities in ColorOS built-ins and security vulnerabilities in OPPO's proprietary apps available in the App Market.\n\n# Vulnerability Levels and Examples\n| Level | Example of Vulnerability and Impact |\n|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Critical | 1. Arbitrary code execution in the TEE; \u003cbr\u003e 2. Unauthorized access to TEE-protected data (only limited to fingerprints, face data, payment information, and other data that can cause property loss to the victim); \u003cbr\u003e 3. Remote code execution in a privileged process or the TCB or ICE; \u003cbr\u003e 4. Remote permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS); \u003cbr\u003e 5. Remote bypass of interaction requirements for installing an app package or an equivalent action; \u003cbr\u003e 6. Bypass of secure boot mechanism; \u003cbr\u003e 7. Upgrading to firmware or image not signed by OPPO; \u003cbr\u003e 8. Vulnerabilities allowing individuals to extract or infer private user information from the AI model file, such as images and sounds. |\n| High | 1. Remote code execution in an unprivileged process; \u003cbr\u003e 2. Local arbitrary code execution in a privileged process, the TCB or ICE; \u003cbr\u003e 3. Unauthorized access to TEE-protected data; \u003cbr\u003e 4. Remote access to protected data (usually limited to the data that can be accessed only after a local app requests and is granted access, or that can be accessed only by a privileged process); \u003cbr\u003e 5. Local permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS); \u003cbr\u003e 6. Remote temporary DoS attacks (remote hang or reboot); \u003cbr\u003e 7. Remote bypass of user interaction requirements (access to functions that usually require either user initiation or user permission); \u003cbr\u003e 8. Local bypass of user interaction requirements for modifying security settings (such as Developer Options); \u003cbr\u003e 9. Bypass of the security protection mechanism that separates the app data from other apps; \u003cbr\u003e 10. Bypass of the security protection mechanism that separates users or user profiles from one another; \u003cbr\u003e 11. Local bypass of user interaction requirements for installing an app package or an equivalent action; \u003cbr\u003e 12. Lock screen bypass; \u003cbr\u003e 13. Bypass of the device protection functions (such as the \"Find My Phone\" function); \u003cbr\u003e 14. Bypass of the carrier's restrictions (such as SIM card lock); \u003cbr\u003e 15. Bypass of the authentication mechanism to control OPPO smart devices; \u003cbr\u003e 16. Local acquisition of private user data through the AI model. |\n| Moderate | 1. Remote code execution in a constrained process; \u003cbr\u003e 2. Local code execution in an unprivileged process; \u003cbr\u003e 3. Bypass of the mitigation technology in a privileged process or in the TCB, ICE, or TEE; \u003cbr\u003e 4. Bypass of restrictions on a constrained process; \u003cbr\u003e 5. Bypass of restrictions on privacy password; \u003cbr\u003e 6. Remote access to unprotected data (usually referring to all the data that can be accessed by locally installed apps); \u003cbr\u003e 7. Local access to protected data (usually limited to the data that can be accessed only after a locally installed app requests and is granted access, or that can be accessed only by a privileged process); \u003cbr\u003e 8. Local bypass of user interaction requirements without authentication (access to functions that usually require either user initiation or user permission); \u003cbr\u003e 9. Plain text leakage vulnerability caused by the incorrect encryption algorithm model or incorrect implementation of the encryption algorithm; \u003cbr\u003e 10. Bypass of the protection function for restoring factory settings; \u003cbr\u003e 11. Targeted blocking of access to emergency services. |\n| Low | 1. Local arbitrary code execution in a constrained process; \u003cbr\u003e 2. Bypass of the mitigation technology in an unprivileged process. |\n\n# Special Notes of Mobile Devices Scoring Rules\n** Concepts Involved in Mobile Phone Security Vulnerabilities **\n- Remote: The attacker exploits vulnerabilities to launch an attack without installing the app concerned or without physical contact with the victim's device, such as by browsing web pages, reading SMS or MMS messages, receiving or sending emails, downloading files, or having wireless network communications (excluding communication with a distance of less than 10 cm).\n- Local: The attacker exploits vulnerabilities to launch an attack. This kind of attack needs relevant apps to be installed in the victim's system or the attacker needs physical contact with the victim's system and the communication distance must be less than 10 cm.\n- Constrained process: Such a process is subject to stricter permission restrictions than a normal app process, and runs in a strictly restricted domain such as SELinux or SEAndroid.\n- Normal app process: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application/process or built-in application/process without system-level permissions.\n- Privileged process: refers to an application or process running in the system_app of SELinux (or SEAndroid), such as a process running with system-level permissions or root permissions.\n- TCB: stands for Trusted Computing Base. It refers to all of a computer's protective devices, including hardware, firmware, software, and components that implement security policies. It ensures a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to parts of the kernel and drivers, or user services equivalent to the kernel, such as init and vold.\n- TEE: stands for Trusted Execution Environment. It co-exists with the Android system on a device. It is mainly used to provide the Android system with a running environment for security services such as trusted computing and storage.\n- ICE: stands for Independent Computing Environment. It refers to a function- and service-focused set of independent computing units, firmware and simple OS, such as a baseband modem.\n\n** Application for CVE IDs **\nl OPPO is the world's 100th CVE Numbering Authority (CNA). We can help security researchers who report vulnerabilities in OPPO products apply for CVE IDs.\nFor CVE application, you could send an application email to security@oppo.com. You need to list the following points in the email:\n- The name and Report ID of the vulnerability\n- The influence of the vulnerability\n- The type and the severity of the vulnerability\n- POC\n- The nickname and the email of the applicant\nOSRC Team will review their vulnerability reports in line with CVE requirements. If the review finds no problem, the OSRC will help the researchers apply for CVE IDs. \n\n** Repeated Vulnerability Reports **\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\n\n** Zero-Day Vulnerabilities **\n- We accepts zero-day (also known as 0-day) vulnerabilities found only in OPPO products and services.\n\n** General Vulnerability Review Principles for Third-Party Products **\n- Server-side vulnerabilities: including but not limited to vulnerabilities in the components of Tomcat and Apache being used by OPPO, OpenSSL, and third-party SDKs. For a reported vulnerability which becomes publicly known within one month following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability one month after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- Client-side vulnerabilities: including but not limited to Android-native vulnerabilities and common app vulnerabilities. For a reported vulnerability which becomes publicly known within three months following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability three months after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- For vulnerabilities resulting from the same source, in general only the first reporter will be rewarded and the vulnerabilities will be counted as one.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For different types of vulnerabilities in the same URL, only the reporter of the vulnerability that has the greatest impact will be rewarded.\n- Vulnerability reports should be as detailed and compliant as possible. The details of a reported vulnerability, its working principle and exploits, and fix recommendations affect the scoring of the vulnerability to some extent. For a reported vulnerability, the lack of PoC, exploit information, or analysis details will directly affect the scoring.\n- Reporting threats or intelligence already published online will be given no score.\n- The review results for a vulnerability are determined based on the level of difficulty in exploitation as well as the degree and scope of its impact.\n- Scanner results without proof of harm will be considered invalid.\n- If you use security testing as an excuse to exploit security intelligence to harm the interests of users, affect the normal operation of our services, publish information about vulnerabilities before they are fixed, or steal user data, you will receive no score. In addition, OPPO will reserve the right to take legal action.\n\n# Test Plan\n* Users can sign up for a free account through our website\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com)\n* OPPO generally do not provide sample devices for testing; researchers need to purchase the devices themselves.\n* We currently only accept files smaller than 20MB in the following formats: doc, docx, 7z, zip, gz, bz2, excel.\n* OPPO and realme employees (including both regular and outsourced employees) and their immediate family members cannot participate in this reward scheme.\n\n**Clause Interpretation**\nThe OSRC reserves the right to interpret all the above clauses.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as:\n* “X-HackerOne-Research: [H1 username]”\n\n#Prohibitions\n- OPPO opposes and condemns all hacking activities that use vulnerability testing as an excuse to exploit security vulnerabilities to harm users' interests. These activities include but are not limited to stealing user information, hacking production systems, modifying and stealing relevant system information, and maliciously spreading vulnerabilities or data. For details, see the SRC Security Test Specifications. For the above-mentioned behaviors, OPPO will pursue legal support and hold relevant people accountable in accordance with law.\n\nYou can check more details of Devices standard on : https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1554748210814394368\n\nThank you for helping keep OPPO and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"At OPPO, we believe in the power of collaboration to enhance security. That’s why we are excited to publicly collect business vulnerability reports through our H1 initiative. With our extensive testing resources and a generous reward program, we aim to encourage ethical hackers and security researchers from around the globe to contribute to the safety of our products and services.","platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"** Repeated Vulnerability Reports **\\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-08-05T02:03:49.090Z"},{"id":3759556,"new_policy":"OPPO’s commitment to global researcher collaboration significantly enhances product security. \nWe welcome hackers worldwide to submit security vulnerability reports related to OPPO services. Your contributions will help enhance the security of OPPO's business and products. \nOPPO program on H1 currently accept vulnerabilities in the following areas :\n\n**Web/App services**\nFor the scope of acceptance, please refer to:\n🔹 Google Document (detailed domain/package name scope): https://docs.google.com/spreadsheets/d/1K2knhissfw817g_wLNQYJLGIn--j9HKHYBXsdALrD8Y/edit?usp=sharing\n\n**Web Application Scoring Rules**\nWe have defined four levels for mobile phone security vulnerabilities based on the degree of their impact: Critical, High, Moderate, and Low.\n# Level\n\n| Severity | Example of Vulnerability and Impact |\n|----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Critical | Including but not limited to: |\n| | 1. Directly obtain permissions to servers that host important data and processes as well as other important data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions.|\n| | 2. Serious leakages of sensitive information, including but not limited to SQL injection in core databases (relating to funding, user identity, and transaction) and interface problems which allow individuals to obtain the identity information, order information, and bank card information of large numbers of key users. |\n| | 3. Serious logic design flaws and process flaws, including but not limited to interface problems allowing individuals to consume the money in any bank account, log in to any OPPO account, and change the password of any OPPO account. |\n| High | Including but not limited to: |\n| | 1. Directly obtain permissions to servers that host general data and processes as well as other general data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions.|\n| | 2. Leakages of sensitive information, including but limited to SQL injection in non-core databases, leakage of source code packages, reversible server application encryption or storage of passwords as plain text, hard coding, and GitHub sensitive information leakage (including but not limited to the leakage of key server accounts and their passwords). |\n| | 3. Unauthorized access to sensitive information, including but not limited to direct access to the backend by bypassing authentication, weak backend passwords, and Server-side Request Forgery (SSRF) enabling individuals to obtain large amounts of sensitive Intranet data. |\n| | 4. Unauthorized manipulation of sensitive data, including but not limited to modification of important information, manipulation of orders, and modification of important configurations through an unauthorized account. |\n| | 5. Other vulnerabilities that affect users on a large scale, including but not limited to Stored XSS on important pages that can cause automatic spread of and allow acquisition of authentication credentials (cookies). |\n| Moderate | Including but not limited to: |\n| | 1. Vulnerabilities that can affect users only through interaction, including but not limited to Stored XSS to general web pages and major Cross-site Request Forgery (CSRF) vulnerabilities. All vulnerability descriptions must provide the proof of the harm to other users. |\n| | 2. Ordinary unauthorized operations, including but not limited to bypassing restrictions to modify user information and perform user operations. |\n| | 3. Leakages of ordinary information, including but not limited to web path traversal, system path traversal, and plain-text password transmission over the HTTP when a HeyTap account is used for sign-in. |\n| | 4. Ordinary logic design flaws and process flaws, including but not limited to flaws in the verification code logic for important systems that cause the verification and relevant restrictions to be bypassed, leading to credential stuffing attacks. |\n| | 5. Unrestricted brute-force attacks on important account systems. |\n| Low | Including but not limited to: |\n| | 1. Vulnerabilities allowing individuals to access user identity information only in specific unpopular browser environments (for example, IE6). Such vulnerabilities include but are not limited to Reflected XSS (including Reflected DOM-based XSS) and Stored XSS in ordinary properties. |\n| | 2. Minor information leakages, including but not limited to leakage of path information, SVN information, PHP information, exceptions information and configuration settings, log printing and plain-text password transmission over HTTP when a non-HeyTap account is used for sign-in. |\n| | 3. Unauthorized access, including but not limited to client-side active defense bypass and OPPO URL redirection vulnerabilities. (Note that redirecting an OPPO URL to a normal website is not considered a vulnerability. If PoC for URL redirection shows that an OPPO URL can be redirected to any domain that doesn't belong to OPPO without any prompts displayed, then there is a vulnerability. Otherwise no vulnerability exists.) |\n| | 4. Vulnerabilities that are difficult to exploit but may cause security risks. Such vulnerabilities include but are not limited to Self-XSS that may cause the spread and exploitation of XSS, JSON Hijacking that has obtained sensitive information, clickjacking on input web pages containing sensitive information (a valid exploit must be provided in the vulnerability details), CSRF attacks involving unimportant sensitive information, and remote code execution through man-in-the-middle (MITM) attacks (valid PoC must be provided in the vulnerability details). |\n| | 5. Other vulnerabilities that can only cause slight impact. Such vulnerabilities include but are not limited to inappropriate configuration settings for system/service maintenance and operations and vulnerabilities in component-level permissions. |\n| | 6. Verification code message/email bombing, which means that a single IP or user keeps sending more than 50 verification code messages/emails to the same mobile number/email box within 30 minutes. (Note: Reported problems wherein the same interface is used to send one verification code message/email to an unlimited number of mobile numbers or email boxes will be ignored.) |\n| NSI | Including but not limited to: |\n| | 1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, directory traversal that has caused the leakage of meaningless or non-sensitive information, and application compatibility issues. |\n| | 2. Vulnerabilities that cannot be exploited, including but not limited to a scanner's meaningless vulnerability reports (such as a report on a low web server version), meaningless XSS (such as Self-XSS attacks), XSS that uses social engineering or phishing, POST based XSS, JSON hijacking involving no sensitive information, leaking of meaningless exception information, leaking of IP addresses or domain names in the intranet, meaningless clickjacking, HTTP request smuggling, obtaining the user's cookies by exploiting unconfigured CORS during user interaction, and brute-force attacks that cannot be further exploited. |\n| | 3. CSRF attacks involving no sensitive information, including but not limited to adding items to or deleting items from an online shopping cart, as well as executing actions on an online forum such as logging out of an account, giving likes, following others, publishing posts, making comments, and sending flowers. |\n| | 4. Traversals and leakages of non-sensitive information. Such information includes but is not limited to middleware version and non-sensitive information. |\n| | 5. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses. |\n| | 6. Cracking of 6-digit verification codes by distributed equipment. |\n| | 7. Other vulnerabilities with extremely low risks. |\n\n**Mobile devices**\nScope of Devices\n\n| Product Series | Models Name |\n|----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Reno series | Reno8 Pro 5G, Reno8 5G, Reno9 5G, Reno9 Pro+ 5G, Reno9 Pro 5G, Reno9 5G, Reno10 Pro 5G, Reno10 5G, Reno10 Pro+ 5G, Reno11 Pro 5G, Reno11 5G, Reno12, Reno12 Pro |\n| Find series | Find N2, Find N2 Flip, Find X6, Find X6 Pro, Find N3, Find N3 Flip, Find X7, Find X7 Ultra |\n| K series | K9, K9 Pro, K9s, K10, K10 5G, Porsche-B |\n| A series | A16k, A76, A96, F21 Pro |\n| Note | The above list will be updated from time to time. Please stay tuned! If any new model is launched but not in the list, that model is also in the reward scope. |\n\n** Mobile App Security Vulnerabilities **\nThis type of security vulnerability mainly refers to those in mobile devices powered by ColorOS. It includes security vulnerabilities in ColorOS built-ins and security vulnerabilities in OPPO's proprietary apps available in the App Market.\n\n# Vulnerability Levels and Examples\n| Level | Example of Vulnerability and Impact |\n|----------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Critical | 1. Arbitrary code execution in the TEE; \u003cbr\u003e 2. Unauthorized access to TEE-protected data (only limited to fingerprints, face data, payment information, and other data that can cause property loss to the victim); \u003cbr\u003e 3. Remote code execution in a privileged process or the TCB or ICE; \u003cbr\u003e 4. Remote permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS); \u003cbr\u003e 5. Remote bypass of interaction requirements for installing an app package or an equivalent action; \u003cbr\u003e 6. Bypass of secure boot mechanism; \u003cbr\u003e 7. Upgrading to firmware or image not signed by OPPO; \u003cbr\u003e 8. Vulnerabilities allowing individuals to extract or infer private user information from the AI model file, such as images and sounds. |\n| High | 1. Remote code execution in an unprivileged process; \u003cbr\u003e 2. Local arbitrary code execution in a privileged process, the TCB or ICE; \u003cbr\u003e 3. Unauthorized access to TEE-protected data; \u003cbr\u003e 4. Remote access to protected data (usually limited to the data that can be accessed only after a local app requests and is granted access, or that can be accessed only by a privileged process); \u003cbr\u003e 5. Local permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS); \u003cbr\u003e 6. Remote temporary DoS attacks (remote hang or reboot); \u003cbr\u003e 7. Remote bypass of user interaction requirements (access to functions that usually require either user initiation or user permission); \u003cbr\u003e 8. Local bypass of user interaction requirements for modifying security settings (such as Developer Options); \u003cbr\u003e 9. Bypass of the security protection mechanism that separates the app data from other apps; \u003cbr\u003e 10. Bypass of the security protection mechanism that separates users or user profiles from one another; \u003cbr\u003e 11. Local bypass of user interaction requirements for installing an app package or an equivalent action; \u003cbr\u003e 12. Lock screen bypass; \u003cbr\u003e 13. Bypass of the device protection functions (such as the \"Find My Phone\" function); \u003cbr\u003e 14. Bypass of the carrier's restrictions (such as SIM card lock); \u003cbr\u003e 15. Bypass of the authentication mechanism to control OPPO smart devices; \u003cbr\u003e 16. Local acquisition of private user data through the AI model. |\n| Moderate | 1. Remote code execution in a constrained process; \u003cbr\u003e 2. Local code execution in an unprivileged process; \u003cbr\u003e 3. Bypass of the mitigation technology in a privileged process or in the TCB, ICE, or TEE; \u003cbr\u003e 4. Bypass of restrictions on a constrained process; \u003cbr\u003e 5. Bypass of restrictions on privacy password; \u003cbr\u003e 6. Remote access to unprotected data (usually referring to all the data that can be accessed by locally installed apps); \u003cbr\u003e 7. Local access to protected data (usually limited to the data that can be accessed only after a locally installed app requests and is granted access, or that can be accessed only by a privileged process); \u003cbr\u003e 8. Local bypass of user interaction requirements without authentication (access to functions that usually require either user initiation or user permission); \u003cbr\u003e 9. Plain text leakage vulnerability caused by the incorrect encryption algorithm model or incorrect implementation of the encryption algorithm; \u003cbr\u003e 10. Bypass of the protection function for restoring factory settings; \u003cbr\u003e 11. Targeted blocking of access to emergency services. |\n| Low | 1. Local arbitrary code execution in a constrained process; \u003cbr\u003e 2. Bypass of the mitigation technology in an unprivileged process. |\n\n# Special Notes of Mobile Devices Scoring Rules\n** Concepts Involved in Mobile Phone Security Vulnerabilities **\n- Remote: The attacker exploits vulnerabilities to launch an attack without installing the app concerned or without physical contact with the victim's device, such as by browsing web pages, reading SMS or MMS messages, receiving or sending emails, downloading files, or having wireless network communications (excluding communication with a distance of less than 10 cm).\n- Local: The attacker exploits vulnerabilities to launch an attack. This kind of attack needs relevant apps to be installed in the victim's system or the attacker needs physical contact with the victim's system and the communication distance must be less than 10 cm.\n- Constrained process: Such a process is subject to stricter permission restrictions than a normal app process, and runs in a strictly restricted domain such as SELinux or SEAndroid.\n- Normal app process: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application/process or built-in application/process without system-level permissions.\n- Privileged process: refers to an application or process running in the system_app of SELinux (or SEAndroid), such as a process running with system-level permissions or root permissions.\n- TCB: stands for Trusted Computing Base. It refers to all of a computer's protective devices, including hardware, firmware, software, and components that implement security policies. It ensures a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to parts of the kernel and drivers, or user services equivalent to the kernel, such as init and vold.\n- TEE: stands for Trusted Execution Environment. It co-exists with the Android system on a device. It is mainly used to provide the Android system with a running environment for security services such as trusted computing and storage.\n- ICE: stands for Independent Computing Environment. It refers to a function- and service-focused set of independent computing units, firmware and simple OS, such as a baseband modem.\n\n** Application for CVE IDs **\nl OPPO is the world's 100th CVE Numbering Authority (CNA). We can help security researchers who report vulnerabilities in OPPO products apply for CVE IDs.\nFor CVE application, you could send an application email to security@oppo.com. You need to list the following points in the email:\n- The name and Report ID of the vulnerability\n- The influence of the vulnerability\n- The type and the severity of the vulnerability\n- POC\n- The nickname and the email of the applicant\nOSRC Team will review their vulnerability reports in line with CVE requirements. If the review finds no problem, the OSRC will help the researchers apply for CVE IDs. \n\n** Repeated Vulnerability Reports **\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\n\n** Zero-Day Vulnerabilities **\n- We accepts zero-day (also known as 0-day) vulnerabilities found only in OPPO products and services.\n\n** General Vulnerability Review Principles for Third-Party Products **\n- Server-side vulnerabilities: including but not limited to vulnerabilities in the components of Tomcat and Apache being used by OPPO, OpenSSL, and third-party SDKs. For a reported vulnerability which becomes publicly known within one month following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability one month after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- Client-side vulnerabilities: including but not limited to Android-native vulnerabilities and common app vulnerabilities. For a reported vulnerability which becomes publicly known within three months following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability three months after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- For vulnerabilities resulting from the same source, in general only the first reporter will be rewarded and the vulnerabilities will be counted as one.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For different types of vulnerabilities in the same URL, only the reporter of the vulnerability that has the greatest impact will be rewarded.\n- Vulnerability reports should be as detailed and compliant as possible. The details of a reported vulnerability, its working principle and exploits, and fix recommendations affect the scoring of the vulnerability to some extent. For a reported vulnerability, the lack of PoC, exploit information, or analysis details will directly affect the scoring.\n- Reporting threats or intelligence already published online will be given no score.\n- The review results for a vulnerability are determined based on the level of difficulty in exploitation as well as the degree and scope of its impact.\n- Scanner results without proof of harm will be considered invalid.\n- If you use security testing as an excuse to exploit security intelligence to harm the interests of users, affect the normal operation of our services, publish information about vulnerabilities before they are fixed, or steal user data, you will receive no score. In addition, OPPO will reserve the right to take legal action.\n\n# Test Plan\n* Users can sign up for a free account through our website\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com)\n* OPPO generally do not provide sample devices for testing; researchers need to purchase the devices themselves.\n* We currently only accept files smaller than 20MB in the following formats: doc, docx, 7z, zip, gz, bz2, excel.\n* OPPO and realme employees (including both regular and outsourced employees) and their immediate family members cannot participate in this reward scheme.\n\n**Clause Interpretation**\nThe OSRC reserves the right to interpret all the above clauses.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as:\n* “X-HackerOne-Research: [H1 username]”\n\n#Prohibitions\n- OPPO opposes and condemns all hacking activities that use vulnerability testing as an excuse to exploit security vulnerabilities to harm users' interests. These activities include but are not limited to stealing user information, hacking production systems, modifying and stealing relevant system information, and maliciously spreading vulnerabilities or data. For details, see the SRC Security Test Specifications. For the above-mentioned behaviors, OPPO will pursue legal support and hold relevant people accountable in accordance with law.\n\nYou can check more details of Devices standard on : https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1554748210814394368\n\nThank you for helping keep OPPO and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"At OPPO, we believe in the power of collaboration to enhance security. That’s why we are excited to publicly collect business vulnerability reports through our H1 initiative. With our extensive testing resources and a generous reward program, we aim to encourage ethical hackers and security researchers from around the globe to contribute to the safety of our products and services.","platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"** Repeated Vulnerability Reports **\\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-07-21T10:14:30.162Z"},{"id":3757387,"new_policy":"Here are web application and mobile app standard details.\n\nA complete vulnerability report generally includes the following sections:\n- A detailed description of the issue (what the problem is)\n- Actionable steps to reproduce the vulnerability\n- Necessary logs\n- A functioning proof-of-concept (POC) file\n\nOPPO only accept vulnerability from properties that belongs to us. We divided them into core properties and non-core properties.\n\n** Core Web Properties **\n\n| Brand | Services in the Core properties |\n| :---- | :---- | \n| OPPO |OPPO\tBreeno, OPPO Store, Mini Videos, Lock Screen Magazine, Browser, Global Search\t, App Market, Videos, My OPPO, Quick Games, Game Assistant, Game Center\t, HeyTap Cloud, Theme Store, Find My Phone, Community, Wallet, Smart Home, Quick Apps, Health\n\n** Non-Core Properties **\nNon-core properties refers to OPPO-owned assets that are not in the scope of core properties.\n\n** Scoring Rules of Web App and Mobile App **\n** 1. Web App Security Vulnerabilities **\n\n| Level | Example of Vulnerability and Impact |\n|---------|---------------------------------------------------------------------------------------------------------------------------------------|\n| Critical| Including but not limited to: |\n| | 1. Directly obtain permissions to servers that host important data and processes as well as other important data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions. |\n| | 2. Serious leakages of sensitive information, including but not limited to SQL injection in core databases (relating to funding, user identity, and transaction) and interface problems which allow individuals to obtain the identity information, order information, and bank card information of large numbers of key users. |\n| | 3. Serious logic design flaws and process flaws, including but not limited to interface problems allowing individuals to consume the money in any bank account, log in to any OPPO account, and change the password of any OPPO account. |\n| High | Including but not limited to: |\n| | 1. Directly obtain permissions to servers that host general data and processes as well as other general data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions. |\n| | 2. Leakages of sensitive information, including but limited to SQL injection in non-core databases, leakage of source code packages, reversible server application encryption or storage of passwords as plain text, hard coding, and GitHub sensitive information leakage (including but not limited to the leakage of key server accounts and their passwords). |\n| | 3. Unauthorized access to sensitive information, including but not limited to direct access to the backend by bypassing authentication, weak backend passwords, and Server-side Request Forgery (SSRF) enabling individuals to obtain large amounts of sensitive Intranet data. |\n| | 4. Unauthorized manipulation of sensitive data, including but not limited to modification of important information, manipulation of orders, and modification of important configurations through an unauthorized account. |\n| | 5. Other vulnerabilities that affect users on a large scale, including but not limited to Stored XSS on important pages that can cause automatic spread of and allow acquisition of authentication credentials (cookies). |\n| Moderate| Including but not limited to: |\n| | 1. Vulnerabilities that can affect users only through interaction, including but not limited to Stored XSS to general web pages and major Cross-site Request Forgery (CSRF) vulnerabilities. All vulnerability descriptions must provide the proof of the harm to other users. |\n| | 2. Ordinary unauthorized operations, including but not limited to bypassing restrictions to modify user information and perform user operations. |\n| | 3. Leakages of ordinary information, including but not limited to web path traversal, system path traversal, and plain-text password transmission over the HTTP when a HeyTap account is used for sign-in. |\n| | 4. Ordinary logic design flaws and process flaws, including but not limited to flaws in the verification code logic for important systems that cause the verification and relevant restrictions to be bypassed, leading to credential stuffing attacks. |\n| | 5. Unrestricted brute-force attacks on important account systems. |\n| Low | Including but not limited to: |\n| | 1. Vulnerabilities allowing individuals to access user identity information only in specific unpopular browser environments (for example, IE6). Such vulnerabilities include but are not limited to Reflected XSS (including Reflected DOM-based XSS) and Stored XSS in ordinary properties. |\n| | 2. Minor information leakages, including but not limited to leakage of path information, SVN information, PHP information, exceptions information and configuration settings, log printing and plain-text password transmission over HTTP when a non-HeyTap account is used for sign-in. |\n| | 3. Unauthorized access, including but not limited to client-side active defense bypass and OPPO URL redirection vulnerabilities. (Note that redirecting an OPPO URL to a normal website is not considered a vulnerability. If PoC for URL redirection shows that an OPPO URL can be redirected to any domain doesn't belong to OPPO without any prompts displayed, then there is a vulnerability. Otherwise no vulnerability exists.) |\n| | 4. Vulnerabilities that are difficult to exploit but may cause security risks. Such vulnerabilities include but are not limited to Self-XSS that may cause the spread and exploitation of XSS, JSON Hijacking that has obtained sensitive information, clickjacking on input web pages containing sensitive information (a valid exploit must be provided in the vulnerability details), CSRF attacks involving unimportant sensitive information, and remote code execution through man-in-the-middle (MITM) attacks (valid PoC must be provided in the vulnerability details). |\n| | 5. Other vulnerabilities that can only cause slight impact. Such vulnerabilities include but are not limited to inappropriate configuration settings for system/service maintenance and operations and vulnerabilities in component-level permissions. |\n| | 6. Verification code message/email bombing, which means that a single IP or user keeps sending more than 50 verification code messages/emails to the same mobile number/email box within 30 minutes. (Note: Reported problems wherein the same interface is used to send one verification code message/email to an unlimited number of mobile numbers or email boxes will be ignored.) |\n| NSI | Including but not limited to: |\n| | 1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, directory traversal that has caused the leakage of meaningless or non-sensitive information, and application compatibility issues. |\n| | 2. Vulnerabilities that cannot be exploited, including but not limited to a scanner's meaningless vulnerability reports (such as a report on a low web server version), meaningless XSS (such as Self-XSS attacks), XSS that uses social engineering or phishing, POST based XSS, JSON hijacking involving no sensitive information, leaking of meaningless exception information, leaking of IP addresses or domain names in the intranet, meaningless clickjacking, HTTP request smuggling, obtaining the user's cookies by exploiting unconfigured CORS during user interaction, and brute-force attacks that cannot be further exploited. |\n| | 3. CSRF attacks involving no sensitive information, including but not limited to adding items to or deleting items from an online shopping cart, as well as executing actions on an online forum such as logging out of an account, giving likes, following others, publishing posts, making comments, and sending flowers. |\n| | 4. Traversals and leakages of non-sensitive information. Such information includes but is not limited to middleware version and non-sensitive information. |\n| | 5. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses. |\n| | 6. Cracking of 6-digit verification codes by distributed equipment. \nYou can check more details of Web/APP standard on : https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1554747208929386496\n\n\n\n\n** 2. Mobile App Security Vulnerabilities **\nThis type of security vulnerability mainly refers to those in mobile devices powered by ColorOS. It includes security vulnerabilities in ColorOS built-ins and security vulnerabilities in OPPO's proprietary apps available in the App Market.\n\nYou can check more details of Devices standard on : https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1554748210814394368\n\n# Vulnerability Levels and Examples\n\n| Level | Example of Vulnerability and Impact |\n|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Critical | 1. Arbitrary code execution in the TEE; 2. Unauthorized access to TEE-protected data (only limited to fingerprints, face data, payment information, and other data that can cause property loss to the victim); 3. Remote code execution in a privileged process or the TCB or ICE; 4. Remote permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS); 5. Remote bypass of interaction requirements for installing an app package or an equivalent action; 6. Bypass of secure boot mechanism; 7. Upgrading to firmware or image not signed by OPPO; 8. Vulnerabilities allowing individuals to extract or infer private user information from the AI model file, such as images and sounds. |\n| High | 1. Remote code execution in an unprivileged process; 2. Local arbitrary code execution in a privileged process, the TCB or ICE; 3. Unauthorized access to TEE-protected data; 4. Remote access to protected data (usually limited to the data that can be accessed only after a local app requests and is granted access, or that can be accessed only by a privileged process); 5. Local permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS); 6. Remote temporary DoS attacks (remote hang or reboot); 7. Remote bypass of user interaction requirements (access to functions that usually require either user initiation or user permission); 8. Local bypass of user interaction requirements for modifying security settings (such as Developer Options); 9. Bypass of the security protection mechanism that separates the app data from other apps;10. Bypass of the security protection mechanism that separates users or user profiles from one another; 11. Local bypass of user interaction requirements for installing an app package or an equivalent action; 12. Lock screen bypass; 13. Bypass of the device protection functions (such as the \"Find My Phone\" function); 14. Bypass of the carrier's restrictions (such as SIM card lock); 15. Bypass of the authentication mechanism to control OPPO smart devices; 16. Local acquisition of private user data through the AI model. |\n| Moderate | 1. Remote code execution in a constrained process; 2. Local code execution in an unprivileged process; 3. Bypass of the mitigation technology in a privileged process or in the TCB, ICE, or TEE; 4. Bypass of restrictions on a constrained process; 5. Bypass of restrictions on privacy password; 6. Remote access to unprotected data (usually referring to all the data that can be accessed by locally installed apps); 7. Local access to protected data (usually limited to the data that can be accessed only after a locally installed app requests and is granted access, or that can be accessed only by a privileged process); 8. Local bypass of user interaction requirements without authentication (access to functions that usually require either user initiation or user permission); 9. Plain text leakage vulnerability caused by the incorrect encryption algorithm model or incorrect implementation of the encryption algorithm; 10. Bypass of the protection function for restoring factory settings; 11. Targeted blocking of access to emergency services. |\n| Low | 1. Local arbitrary code execution in a constrained process; 2. Bypass of the mitigation technology in an unprivileged process. |\n\n\n# Special Notes of Mobile Devices Scoring Rules\n** Concepts Involved in Mobile Phone Security Vulnerabilities **\n- Remote: The attacker exploits vulnerabilities to launch an attack without installing the app concerned or without physical contact with the victim's device, such as by browsing web pages, reading SMS or MMS messages, receiving or sending emails, downloading files, or having wireless network communications (excluding communication with a distance of less than 10 cm).\n- Local: The attacker exploits vulnerabilities to launch an attack. This kind of attack needs relevant apps to be installed in the victim's system or the attacker needs physical contact with the victim's system and the communication distance must be less than 10 cm.\n- Constrained process: Such a process is subject to stricter permission restrictions than a normal app process, and runs in a strictly restricted domain such as SELinux or SEAndroid.\n- Normal app process: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application/process or built-in application/process without system-level permissions.\n- Privileged process: refers to an application or process running in the system_app of SELinux (or SEAndroid), such as a process running with system-level permissions or root permissions.\n- TCB: stands for Trusted Computing Base. It refers to all of a computer's protective devices, including hardware, firmware, software, and components that implement security policies. It ensures a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to parts of the kernel and drivers, or user services equivalent to the kernel, such as init and vold.\n- TEE: stands for Trusted Execution Environment. It co-exists with the Android system on a device. It is mainly used to provide the Android system with a running environment for security services such as trusted computing and storage.\n- ICE: stands for Independent Computing Environment. It refers to a function- and service-focused set of independent computing units, firmware and simple OS, such as a baseband modem.\n\n** Application for CVE IDs **\nl OPPO is the world's 100th CVE Numbering Authority (CNA). We can help security researchers who report vulnerabilities in OPPO products apply for CVE IDs.\nFor CVE application, you could send an application email to security@oppo.com. You need to list the following points in the email:\n- The name and Report ID of the vulnerability\n- The influence of the vulnerability\n- The type and the severity of the vulnerability\n- POC\n- The nickname and the email of the applicant\nOSRC Team will review their vulnerability reports in line with CVE requirements. If the review finds no problem, the OSRC will help the researchers apply for CVE IDs. \n\n** Repeated Vulnerability Reports **\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\n\n** Zero-Day Vulnerabilities **\n- We accepts zero-day (also known as 0-day) vulnerabilities found only in OPPO products and services.\n\n** General Vulnerability Review Principles for Third-Party Products **\n- Server-side vulnerabilities: including but not limited to vulnerabilities in the components of Tomcat and Apache being used by OPPO, OpenSSL, and third-party SDKs. For a reported vulnerability which becomes publicly known within one month following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability one month after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- Client-side vulnerabilities: including but not limited to Android-native vulnerabilities and common app vulnerabilities. For a reported vulnerability which becomes publicly known within three months following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability three months after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- For vulnerabilities resulting from the same source, in general only the first reporter will be rewarded and the vulnerabilities will be counted as one.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For different types of vulnerabilities in the same URL, only the reporter of the vulnerability that has the greatest impact will be rewarded.\n- Vulnerability reports should be as detailed and compliant as possible. The details of a reported vulnerability, its working principle and exploits, and fix recommendations affect the scoring of the vulnerability to some extent. For a reported vulnerability, the lack of PoC, exploit information, or analysis details will directly affect the scoring.\n- Reporting threats or intelligence already published online will be given no score.\n- The review results for a vulnerability are determined based on the level of difficulty in exploitation as well as the degree and scope of its impact.\n- Scanner results without proof of harm will be considered invalid.\n- If you use security testing as an excuse to exploit security intelligence to harm the interests of users, affect the normal operation of our services, publish information about vulnerabilities before they are fixed, or steal user data, you will receive no score. In addition, OPPO will reserve the right to take legal action.\n\n# Test Plan\n* Users can sign up for a free account through our website\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com)\n* OPPO generally do not provide sample devices for testing; researchers need to purchase the devices themselves.\n* We currently only accept files smaller than 20MB in the following formats: doc, docx, 7z, zip, gz, bz2, excel.\n* OPPO and realme employees (including both regular and outsourced employees) and their immediate family members cannot participate in this reward scheme.\n\n10. Clause Interpretation\n\nThe OSRC reserves the right to interpret all the above clauses.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as:\n* “X-HackerOne-Research: [H1 username]”\n\n#Prohibitions\n- OPPO opposes and condemns all hacking activities that use vulnerability testing as an excuse to exploit security vulnerabilities to harm users' interests. These activities include but are not limited to stealing user information, hacking production systems, modifying and stealing relevant system information, and maliciously spreading vulnerabilities or data. For details, see the SRC Security Test Specifications. For the above-mentioned behaviors, OPPO will pursue legal support and hold relevant people accountable in accordance with law.\n\nThank you for helping keep OPPO and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"At OPPO, we believe in the power of collaboration to enhance security. That’s why we are excited to publicly collect business vulnerability reports through our H1 initiative. With our extensive testing resources and a generous reward program, we aim to encourage ethical hackers and security researchers from around the globe to contribute to the safety of our products and services.","platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"** Repeated Vulnerability Reports **\\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-12T08:40:19.390Z"},{"id":3757386,"new_policy":"Here are web application and mobile app standard details.\n\nA complete vulnerability report generally includes the following sections:\n- A detailed description of the issue (what the problem is)\n- Actionable steps to reproduce the vulnerability\n- Necessary logs\n- A functioning proof-of-concept (POC) file\n\nOPPO only accept vulnerability from properties that belongs to us. We divided them into core properties and non-core properties.\n\n** Core Web Properties **\n\n| Brand | Services in the Core properties |\n| :---- | :---- | \n| OPPO |OPPO\tBreeno, OPPO Store, Mini Videos, Lock Screen Magazine, Browser, Global Search\t, App Market, Videos, My OPPO, Quick Games, Game Assistant, Game Center\t, HeyTap Cloud, Theme Store, Find My Phone, Community, Wallet, Smart Home, Quick Apps, Health\n\n** Non-Core Properties **\nNon-core properties refers to OPPO-owned assets that are not in the scope of core properties.\n\n** Scoring Rules of Web App and Mobile App **\n** 1. Web App Security Vulnerabilities **\n\n| Level | Example of Vulnerability and Impact |\n|---------|---------------------------------------------------------------------------------------------------------------------------------------|\n| Critical| Including but not limited to: |\n| | 1. Directly obtain permissions to servers that host important data and processes as well as other important data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions. |\n| | 2. Serious leakages of sensitive information, including but not limited to SQL injection in core databases (relating to funding, user identity, and transaction) and interface problems which allow individuals to obtain the identity information, order information, and bank card information of large numbers of key users. |\n| | 3. Serious logic design flaws and process flaws, including but not limited to interface problems allowing individuals to consume the money in any bank account, log in to any OPPO account, and change the password of any OPPO account. |\n| High | Including but not limited to: |\n| | 1. Directly obtain permissions to servers that host general data and processes as well as other general data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions. |\n| | 2. Leakages of sensitive information, including but limited to SQL injection in non-core databases, leakage of source code packages, reversible server application encryption or storage of passwords as plain text, hard coding, and GitHub sensitive information leakage (including but not limited to the leakage of key server accounts and their passwords). |\n| | 3. Unauthorized access to sensitive information, including but not limited to direct access to the backend by bypassing authentication, weak backend passwords, and Server-side Request Forgery (SSRF) enabling individuals to obtain large amounts of sensitive Intranet data. |\n| | 4. Unauthorized manipulation of sensitive data, including but not limited to modification of important information, manipulation of orders, and modification of important configurations through an unauthorized account. |\n| | 5. Other vulnerabilities that affect users on a large scale, including but not limited to Stored XSS on important pages that can cause automatic spread of and allow acquisition of authentication credentials (cookies). |\n| Moderate| Including but not limited to: |\n| | 1. Vulnerabilities that can affect users only through interaction, including but not limited to Stored XSS to general web pages and major Cross-site Request Forgery (CSRF) vulnerabilities. All vulnerability descriptions must provide the proof of the harm to other users. |\n| | 2. Ordinary unauthorized operations, including but not limited to bypassing restrictions to modify user information and perform user operations. |\n| | 3. Leakages of ordinary information, including but not limited to web path traversal, system path traversal, and plain-text password transmission over the HTTP when a HeyTap account is used for sign-in. |\n| | 4. Ordinary logic design flaws and process flaws, including but not limited to flaws in the verification code logic for important systems that cause the verification and relevant restrictions to be bypassed, leading to credential stuffing attacks. |\n| | 5. Unrestricted brute-force attacks on important account systems. |\n| Low | Including but not limited to: |\n| | 1. Vulnerabilities allowing individuals to access user identity information only in specific unpopular browser environments (for example, IE6). Such vulnerabilities include but are not limited to Reflected XSS (including Reflected DOM-based XSS) and Stored XSS in ordinary properties. |\n| | 2. Minor information leakages, including but not limited to leakage of path information, SVN information, PHP information, exceptions information and configuration settings, log printing and plain-text password transmission over HTTP when a non-HeyTap account is used for sign-in. |\n| | 3. Unauthorized access, including but not limited to client-side active defense bypass and OPPO URL redirection vulnerabilities. (Note that redirecting an OPPO URL to a normal website is not considered a vulnerability. If PoC for URL redirection shows that an OPPO URL can be redirected to any domain doesn't belong to OPPO without any prompts displayed, then there is a vulnerability. Otherwise no vulnerability exists.) |\n| | 4. Vulnerabilities that are difficult to exploit but may cause security risks. Such vulnerabilities include but are not limited to Self-XSS that may cause the spread and exploitation of XSS, JSON Hijacking that has obtained sensitive information, clickjacking on input web pages containing sensitive information (a valid exploit must be provided in the vulnerability details), CSRF attacks involving unimportant sensitive information, and remote code execution through man-in-the-middle (MITM) attacks (valid PoC must be provided in the vulnerability details). |\n| | 5. Other vulnerabilities that can only cause slight impact. Such vulnerabilities include but are not limited to inappropriate configuration settings for system/service maintenance and operations and vulnerabilities in component-level permissions. |\n| | 6. Verification code message/email bombing, which means that a single IP or user keeps sending more than 50 verification code messages/emails to the same mobile number/email box within 30 minutes. (Note: Reported problems wherein the same interface is used to send one verification code message/email to an unlimited number of mobile numbers or email boxes will be ignored.) |\n| NSI | Including but not limited to: |\n| | 1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, directory traversal that has caused the leakage of meaningless or non-sensitive information, and application compatibility issues. |\n| | 2. Vulnerabilities that cannot be exploited, including but not limited to a scanner's meaningless vulnerability reports (such as a report on a low web server version), meaningless XSS (such as Self-XSS attacks), XSS that uses social engineering or phishing, POST based XSS, JSON hijacking involving no sensitive information, leaking of meaningless exception information, leaking of IP addresses or domain names in the intranet, meaningless clickjacking, HTTP request smuggling, obtaining the user's cookies by exploiting unconfigured CORS during user interaction, and brute-force attacks that cannot be further exploited. |\n| | 3. CSRF attacks involving no sensitive information, including but not limited to adding items to or deleting items from an online shopping cart, as well as executing actions on an online forum such as logging out of an account, giving likes, following others, publishing posts, making comments, and sending flowers. |\n| | 4. Traversals and leakages of non-sensitive information. Such information includes but is not limited to middleware version and non-sensitive information. |\n| | 5. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses. |\n| | 6. Cracking of 6-digit verification codes by distributed equipment. \nYou can check more details of Web/APP standard on : https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1554747208929386496\n\n\n\n\n** 2. Mobile App Security Vulnerabilities **\nThis type of security vulnerability mainly refers to those in mobile devices powered by ColorOS. It includes security vulnerabilities in ColorOS built-ins and security vulnerabilities in OPPO's proprietary apps available in the App Market.\n\nYou can check more details of Devices standard on : https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1554748210814394368\n\n# Vulnerability Levels and Examples\n\n| Level | Example of Vulnerability and Impact |\n|----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| Critical | 1. Arbitrary code execution in the TEE; 2. Unauthorized access to TEE-protected data (only limited to fingerprints, face data, payment information, and other data that can cause property loss to the victim); 3. Remote code execution in a privileged process or the TCB or ICE; 4. Remote permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS); 5. Remote bypass of interaction requirements for installing an app package or an equivalent action; 6. Bypass of secure boot mechanism; 7. Upgrading to firmware or image not signed by OPPO; 8. Vulnerabilities allowing individuals to extract or infer private user information from the AI model file, such as images and sounds. |\n| High | 1. Remote code execution in an unprivileged process; 2. Local arbitrary code execution in a privileged process, the TCB or ICE; 3. Unauthorized access to TEE-protected data; 4. Remote access to protected data (usually limited to the data that can be accessed only after a local app requests and is granted access, or that can be accessed only by a privileged process); 5. Local permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS); 6. Remote temporary DoS attacks (remote hang or reboot); 7. Remote bypass of user interaction requirements (access to functions that usually require either user initiation or user permission); 8. Local bypass of user interaction requirements for modifying security settings (such as Developer Options); 9. Bypass of the security protection mechanism that separates the app data from other apps;10. Bypass of the security protection mechanism that separates users or user profiles from one another; 11. Local bypass of user interaction requirements for installing an app package or an equivalent action; 12. Lock screen bypass; 13. Bypass of the device protection functions (such as the \"Find My Phone\" function); 14. Bypass of the carrier's restrictions (such as SIM card lock); 15. Bypass of the authentication mechanism to control OPPO smart devices; 16. Local acquisition of private user data through the AI model. |\n| Moderate | 1. Remote code execution in a constrained process; 2. Local code execution in an unprivileged process; 3. Bypass of the mitigation technology in a privileged process or in the TCB, ICE, or TEE; 4. Bypass of restrictions on a constrained process; 5. Bypass of restrictions on privacy password; 6. Remote access to unprotected data (usually referring to all the data that can be accessed by locally installed apps); 7. Local access to protected data (usually limited to the data that can be accessed only after a locally installed app requests and is granted access, or that can be accessed only by a privileged process); 8. Local bypass of user interaction requirements without authentication (access to functions that usually require either user initiation or user permission); 9. Plain text leakage vulnerability caused by the incorrect encryption algorithm model or incorrect implementation of the encryption algorithm; 10. Bypass of the protection function for restoring factory settings; 11. Targeted blocking of access to emergency services. |\n| Low | 1. Local arbitrary code execution in a constrained process; 2. Bypass of the mitigation technology in an unprivileged process. |\n\n\n# Special Notes of Mobile Devices Scoring Rules\n** Concepts Involved in Mobile Phone Security Vulnerabilities **\n- Remote: The attacker exploits vulnerabilities to launch an attack without installing the app concerned or without physical contact with the victim's device, such as by browsing web pages, reading SMS or MMS messages, receiving or sending emails, downloading files, or having wireless network communications (excluding communication with a distance of less than 10 cm).\n- Local: The attacker exploits vulnerabilities to launch an attack. This kind of attack needs relevant apps to be installed in the victim's system or the attacker needs physical contact with the victim's system and the communication distance must be less than 10 cm.\n- Constrained process: Such a process is subject to stricter permission restrictions than a normal app process, and runs in a strictly restricted domain such as SELinux or SEAndroid.\n- Normal app process: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application/process or built-in application/process without system-level permissions.\n- Privileged process: refers to an application or process running in the system_app of SELinux (or SEAndroid), such as a process running with system-level permissions or root permissions.\n- TCB: stands for Trusted Computing Base. It refers to all of a computer's protective devices, including hardware, firmware, software, and components that implement security policies. It ensures a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to parts of the kernel and drivers, or user services equivalent to the kernel, such as init and vold.\n- TEE: stands for Trusted Execution Environment. It co-exists with the Android system on a device. It is mainly used to provide the Android system with a running environment for security services such as trusted computing and storage.\n- ICE: stands for Independent Computing Environment. It refers to a function- and service-focused set of independent computing units, firmware and simple OS, such as a baseband modem.\n\n** Application for CVE IDs **\nl OPPO is the world's 100th CVE Numbering Authority (CNA). We can help security researchers who report vulnerabilities in OPPO products apply for CVE IDs.\nFor CVE application, you could send an application email to security@oppo.com. You need to list the following points in the email:\n- The name and Report ID of the vulnerability\n- The influence of the vulnerability\n- The type and the severity of the vulnerability\n- POC\n- The nickname and the email of the applicant\nOSRC Team will review their vulnerability reports in line with CVE requirements. If the review finds no problem, the OSRC will help the researchers apply for CVE IDs. \n\n** Repeated Vulnerability Reports **\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\n\n** Zero-Day Vulnerabilities **\n- We accepts zero-day (also known as 0-day) vulnerabilities found only in OPPO products and services.\n\n** General Vulnerability Review Principles for Third-Party Products **\n- Server-side vulnerabilities: including but not limited to vulnerabilities in the components of Tomcat and Apache being used by OPPO, OpenSSL, and third-party SDKs. For a reported vulnerability which becomes publicly known within one month following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability one month after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- Client-side vulnerabilities: including but not limited to Android-native vulnerabilities and common app vulnerabilities. For a reported vulnerability which becomes publicly known within three months following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability three months after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- For vulnerabilities resulting from the same source, in general only the first reporter will be rewarded and the vulnerabilities will be counted as one.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For different types of vulnerabilities in the same URL, only the reporter of the vulnerability that has the greatest impact will be rewarded.\n- Vulnerability reports should be as detailed and compliant as possible. The details of a reported vulnerability, its working principle and exploits, and fix recommendations affect the scoring of the vulnerability to some extent. For a reported vulnerability, the lack of PoC, exploit information, or analysis details will directly affect the scoring.\n- Reporting threats or intelligence already published online will be given no score.\n- The review results for a vulnerability are determined based on the level of difficulty in exploitation as well as the degree and scope of its impact.\n- Scanner results without proof of harm will be considered invalid.\n- If you use security testing as an excuse to exploit security intelligence to harm the interests of users, affect the normal operation of our services, publish information about vulnerabilities before they are fixed, or steal user data, you will receive no score. In addition, OPPO will reserve the right to take legal action.\n\n# Test Plan\n* Users can sign up for a free account through our website\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com)\n* OPPO generally do not provide sample devices for testing; researchers need to purchase the devices themselves.\n* We currently only accept files smaller than 20MB in the following formats: doc, docx, 7z, zip, gz, bz2, excel.\n* OPPO and realme employees (including both regular and outsourced employees) and their immediate family members cannot participate in this reward scheme.\n\n10. Clause Interpretation\n\nThe OSRC reserves the right to interpret all the above clauses.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as:\n* “X-HackerOne-Research: [H1 username]”\n\n#Prohibitions\n- OPPO opposes and condemns all hacking activities that use vulnerability testing as an excuse to exploit security vulnerabilities to harm users' interests. These activities include but are not limited to stealing user information, hacking production systems, modifying and stealing relevant system information, and maliciously spreading vulnerabilities or data. For details, see the SRC Security Test Specifications. For the above-mentioned behaviors, OPPO will pursue legal support and hold relevant people accountable in accordance with law.\n\nThank you for helping keep OPPO and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"** Repeated Vulnerability Reports **\\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-06-12T08:30:25.915Z"},{"id":3751186,"new_policy":"Here are web application and mobile app standard details.\n\nA complete vulnerability report generally includes the following sections:\n- A detailed description of the issue (what the problem is)\n- Actionable steps to reproduce the vulnerability\n- Necessary logs\n- A functioning proof-of-concept (POC) file\n\nOPPO only accept vulnerability from properties that belongs to us. We divided them into core properties and non-core properties.** Core Web Properties **\n\n| Brand | Services in the Core properties |\n| :---- | :---- | \n| OPPO |OPPO\tBreeno, OPPO Store, Mini Videos, Lock Screen Magazine, Browser, Global Search\t, App Market, Videos, My OPPO, Quick Games, Game Assistant, Game Center\t, HeyTap Cloud, Theme Store, Find My Phone, Community, Wallet, Smart Home, Quick Apps, Health\n\n** Non-Core Properties **\nNon-core properties refers to OPPO-owned assets that are not in the scope of core properties.\n\n** Scoring Rules of Web App and Mobile App **\n** 1. Web App Security Vulnerabilities **\n\n| Level | Example of Vulnerability and Impact |\n|-----------|--------------------------------------|\n| Critical | Including but not limited to: \n1. Directly obtain permissions to servers that host important data and processes as well as other important data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions. \n2. Serious leakages of sensitive information, including but not limited to SQL injection in core databases (relating to funding, user identity, and transaction) and interface problems which allow individuals to obtain the identity information, order information, and bank card information of large numbers of key users.\n3. Serious logic design flaws and process flaws, including but not limited to interface problems allowing individuals to consume the money in any bank account, log in to any OPPO account, and change the password of any OPPO account. |\n| High | Including but not limited to: \n1. Directly obtain permissions to servers that host general data and processes as well as other general data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions. \n2. Leakages of sensitive information, including but limited to SQL injection in non-core databases, leakage of source code packages, reversible server application encryption or storage of passwords as plain text, hard coding, and GitHub sensitive information leakage (including but not limited to the leakage of key server accounts and their passwords). \n3. Unauthorized access to sensitive information, including but not limited to direct access to the backend by bypassing authentication, weak backend passwords, and Server-side Request Forgery (SSRF) enabling individuals to obtain large amounts of sensitive Intranet data. \n4. Unauthorized manipulation of sensitive data, including but not limited to modification of important information, manipulation of orders, and modification of important configurations through an unauthorized account.\n 5. Other vulnerabilities that affect users on a large scale, including but not limited to Stored XSS on important pages that can cause automatic spread of and allow acquisition of authentication credentials (cookies). |\n| Moderate | Including but not limited to: \n 1. Vulnerabilities that can affect users only through interaction, including but not limited to Stored XSS to general web pages and major Cross-site Request Forgery (CSRF) vulnerabilities. All vulnerability descriptions must provide the proof of the harm to other users. \n2. Ordinary unauthorized operations, including but not limited to bypassing restrictions to modify user information and perform user operations. \n3. Leakages of ordinary information, including but not limited to web path traversal, system path traversal, and plain-text password transmission over the HTTP when a HeyTap account is used for sign-in.\n4. Ordinary logic design flaws and process flaws, including but not limited to flaws in the verification code logic for important systems that cause the verification and relevant restrictions to be bypassed, leading to credential stuffing attacks. \n5. Unrestricted brute-force attacks on important account systems. |\n| Low | Including but not limited to:\n1. Vulnerabilities allowing individuals to access user identity information only in specific unpopular browser environments (for example, IE6). Such vulnerabilities include but are not limited to Reflected XSS (including Reflected DOM-based XSS) and Stored XSS in ordinary properties. \n2. Minor information leakages, including but not limited to leakage of path information, SVN information, PHP information, exceptions information and configuration settings, log printing and plain-text password transmission over HTTP when a non-HeyTap account is used for sign-in. \n3. Unauthorized access, including but not limited to client-side active defense bypass and OPPO URL redirection vulnerabilities. (Note that redirecting an OPPO URL to a normal website is not considered a vulnerability. If PoC for URL redirection shows that an OPPO URL can be redirected to any domain doesn't belong to OPPO without any prompts displayed, then there is a vulnerability. Otherwise no vulnerability exists.)\n 4. Vulnerabilities that are difficult to exploit but may cause security risks. Such vulnerabilities include but are not limited to Self-XSS that may cause the spread and exploitation of XSS, JSON Hijacking that has obtained sensitive information, clickjacking on input web pages containing sensitive information (a valid exploit must be provided in the vulnerability details), CSRF attacks involving unimportant sensitive information, and remote code execution through man-in-the-middle (MITM) attacks (valid PoC must be provided in the vulnerability details). \n5. Other vulnerabilities that can only cause slight impact. Such vulnerabilities include but are not limited to inappropriate configuration settings for system/service maintenance and operations and vulnerabilities in component-level permissions. \n6. Verification code message/email bombing, which means that a single IP or user keeps sending more than 50 verification code messages/emails to the same mobile number/email box within 30 minutes. (Note: Reported problems wherein the same interface is used to send one verification code message/email to an unlimited number of mobile numbers or email boxes will be ignored.) |\n| NSI | Including but not limited to: \n1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, directory traversal that has caused the leakage of meaningless or non-sensitive information, and application compatibility issues. \n2. Vulnerabilities that cannot be exploited, including but not limited to a scanner's meaningless vulnerability reports (such as a report on a low web server version), meaningless XSS (such as Self-XSS attacks), XSS that uses social engineering or phishing, POST based XSS, JSON hijacking involving no sensitive information, leaking of meaningless exception information, leaking of IP addresses or domain names in the intranet, meaningless clickjacking, HTTP request smuggling, obtaining the user's cookies by exploiting unconfigured CORS during user interaction, and brute-force attacks that cannot be further exploited. \n3. CSRF attacks involving no sensitive information, including but not limited to adding items to or deleting items from an online shopping cart, as well as executing actions on an online forum such as logging out of an account, giving likes, following others, publishing posts, making comments, and sending flowers. \n4. Traversals and leakages of non-sensitive information. Such information includes but is not limited to middleware version and non-sensitive information. \n5. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses.\n6. Cracking of 6-digit verification codes by distributed equipment. \n7. Other vulnerabilities with extremely low risks. |\nNotes:\n① A weak backend password vulnerability can be rated as moderate at most if the attacker accesses no sensitive information or performs no sensitive operations after logging in to the backend with the weak password. \n② In principle, vulnerabilities detected at the backend will be downgraded.\n③ Only vulnerabilities directly resulting in denial-of-service (DoS) attacks will be accepted. The ratings of such vulnerabilities depend on the vulnerability itself and the way it is exploited. High-traffic, high-concurrency DoS vulnerabilities will not be accepted.\n④ The exploitation of vulnerabilities includes but is not limited to exploiting web vulnerabilities such as XSS and URL redirection to attack apps, and such vulnerabilities are rated as moderate. Newly discovered exploitation circumstances can be escalated as appropriate.\n⑤ Types of vulnerabilities that will not be accepted:\n+ Recently disclosed 0-day vulnerabilities(a researcher should wait around 30 days of cool down period to report).\n+ Disclosure of known public files or directories.\n+ Use of a known-vulnerable library without a description of an exploit specific to our implementation.\n+ OPTIONS / TRACE HTTP method enabled.\n+ Login/logout/unauthenticated/low-impact CSRF\n+ Software version disclosure.\n+ Cookies that keep working after logout.\n+ Presence of autocomplete attribute on web forms.\n+ Cookies that lack HTTP Only or Secure settings for non-sensitive data.\n+ Self-XSS and issues exploitable only through Self-XSS.\n+ Reports generated from automatic tools or scans.\n+ Issues related to network protocols or industry standards.\n+ Username enumeration based on login, forgot password, account creation and registration pages.\n+ Enforcement policies for brute force or account lockout.\n+ Unsecured SSL/TLS or SSH configurations.\n+ Unrealistically impractical complex clickjacking.\n+ Mail configuration issues including SPF, DKIM, DMARC settings.\n+ Password or account recovery policies, such as reset link expiration or password complexity.\n+ Publicly accessible login panels.\n+ Lack of email verification when registering an account.\n+ Use of a known-vulnerable library (without proof of exploitability).\n+ Content spoofing / text injection.\n+ Missing security headers.\n+ Mixed content issues.\n+ Issues related to active sessions after password changes.\n+ Hyperlink injection in emails using forms available to any user.\n+ Reports of credentials exposed by other data breaches / known credential lists.\n+ Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard.l presence/misconfiguration in these.\n+ Man-in-the-Middle attacks, except for sensitive information such as passwords.\n+ Functional product defects, garbled pages, style mixing, file path traversals that do not cause impact to OPPO.\n⑥ Definitions and levels of sensitive information:\n\n| Types of Sensitive Information | Level |\n|--------------------------------|---------|\n| **Type:** Sensitive personal information of users \n**Description:** Sensitive personal information of users is all kinds of information recorded in relation to identified or identifiable natural persons (excluding anonymized information), including but not limited to: personal biometric information, personal identification information, specific identification information, personal financial property information, personal medical and health information, children's personal information, as well as personal communications, contacts, and locations. | **Critical:** It may cause the leak of over 1 million sensitive information items in combination of 3 types of personal information or over 3 million sensitive information items in combination of 2 types of personal information. \n**High:** It may cause the leak of over 100,000 sensitive information items in combination of 3 types of personal information or over 300,000 sensitive information items in combination of 2 types of personal information. |\n| **Type:** Sensitive information of employees \n**Description:** Sensitive information of employees includes but is not limited to their: ID card number and address, medical reports, salary related data, bank account number, home address, contact information of family members, religious beliefs, and marriage records. | **Critical:** It may cause the leak of over 60,000 sensitive information items in combination of 3 types of personal information or over 80,000 sensitive information items in combination of 2 types of personal information. \n**High:** It may cause the leak of over 30,000 sensitive information items in combination of 3 types of personal information or over 50,000 sensitive information items in combination of 2 types of personal information. |\n| **Type:** Other \n **Description:** Other sensitive information leaks are assessed based on the actual harm caused. | N/A |\nNotes:\n- The above employees refer to the employees of the Oplus Group, excluding employees of its agents and suppliers.\n- The above quantities are used for general reference only and can be appropriately adjusted based on factors such as the importance of the system, the scale of data hosted by the system, and the importance of sensitive information.\n\n\n** 2. Mobile App Security Vulnerabilities **\nThis type of security vulnerability mainly refers to those in mobile devices powered by ColorOS. It includes security vulnerabilities in ColorOS built-ins and security vulnerabilities in OPPO's proprietary apps available in the App Market.\n\n| Level | Example of Vulnerability and Impact |\n|-----------|--------------------------------------|\n| Critical | Including but not limited to: \n1. Remote code execution (RCE): The attacker is able to remotely execute arbitrary code with the app permissions, including but not limited to a remote memory corruption vulnerability (complete exploit information should be provided), a code execution vulnerability caused by overwriting a dynamic library, and other RCE vulnerabilities caused by logic issues. \n2. Remote silent installation of any app: The attacker installs any app remotely or through low-level user interaction.\n3. Other severe logic vulnerabilities that can be exploited remotely: including but not limited to remote account takeover, lock screen bypass, money transfer, and other attacks that severely endanger a user's account or asset. |\n| High | Including but not limited to: \n 1. Arbitrary code execution (ACE): The attacker locally executes arbitrary code with the app permissions, including but not limited to a local memory corruption vulnerability (complete exploit information should be provided), a code execution vulnerability caused by overwriting a dynamic library, and other ACE vulnerabilities caused by logic issues. \n 2. Sensitive information leakages: The attacker obtains sensitive information on an app or device locally or through low-level user interaction. Such sensitive information includes login credentials, SMS messages, call history, contacts, browsing history, and other sensitive information in the private app directory. \n3. Privilege escalation vulnerabilities: Such vulnerabilities allow individuals to gain elevated access to an app to perform dangerous operations, including but not limited to launching any protected component of the app, enabling silent installation of any app, modifying the security and privacy settings of the app, and making silent calls or sending silent SMS messages through the app permissions. \n4. Other severe logic vulnerabilities: including but not limited to account takeover, lock screen bypass, money transfer, and other acts that are performed locally or through low-level user interaction and severely endanger a user's account or asset. \n5. Vulnerabilities able to break the site isolation restrictions of a browser, including but not limited to UXSS. |\n| Moderate | Including but not limited to: \n1. Arbitrary code execution or silent installation by staging MITM attacks (valid PoC must be provided in the vulnerability details). \n2. Leakages of common information, including but not limited to the leakage of IMEI, IMSI, mobile number, and other common user information.\n3. Remote denial of service vulnerability. |\n| Low | Including but not limited to: \n1. Stealing of sensitive information by staging MITM attacks (valid PoC must be provided in the vulnerability details).\n2. UI deception vulnerabilities that may cause actual harm. The risk level for this kind of vulnerability can be defined based on the actual harm. |\n| NSI | Including but not limited to: \n 1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, static directory traversals, and application compatibility issues. \n2. Vulnerabilities of no significance, including but not limited to a scanner's meaningless vulnerability reports (such as an automatic app analysis report on code decompilation and lack of security reinforcement). \n3. Vulnerabilities that result from necessary risky permissions but cannot be exploited. Such vulnerabilities include but are not limited to necessary component exposures, such as activity export. \n4. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses. \n 5. Local denial-of-service vulnerabilities: Bugs that can only be launched locally on the phone and cause apps to crash temporarily without leading to further security issues. \n 6. Other vulnerabilities with extremely low risks. |\n\nNotes\nThe following explains concepts involved in, for example, mobile app security vulnerabilities that can be triggered only through actions such as inducing a user to click a link or phishing email, or to install malicious software:\nRemote(ly): An online attack requires no physical contact with a user's mobile phone. Usually the attacker uses a browser, IM software or SMS messages to launch an attack.\nLocal(ly): It is necessary for the attacker to induce the victim to install malicious apps on the phone, or the attacker directly uses ADB commands, NFC, Bluetooth, or any other function to launch an attack.\nLow-level user interaction: specific to scenarios where a security vulnerability can be triggered just by clicking on a link.\nHigh-level user interaction: specific to scenarios where a security vulnerability can be triggered after an induced user installs a malicious app, clicks a phishing email, or clicks to confirm twice or more, or after a risk prompt is displayed.\n\n# Special Notes of Mobile Devices Scoring Rules\n** Concepts Involved in Mobile Phone Security Vulnerabilities **\n- Remote: The attacker exploits vulnerabilities to launch an attack without installing the app concerned or without physical contact with the victim's device, such as by browsing web pages, reading SMS or MMS messages, receiving or sending emails, downloading files, or having wireless network communications (excluding communication with a distance of less than 10 cm).\n- Local: The attacker exploits vulnerabilities to launch an attack. This kind of attack needs relevant apps to be installed in the victim's system or the attacker needs physical contact with the victim's system and the communication distance must be less than 10 cm.\n- Constrained process: Such a process is subject to stricter permission restrictions than a normal app process, and runs in a strictly restricted domain such as SELinux or SEAndroid.\n- Normal app process: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application/process or built-in application/process without system-level permissions.\n- Privileged process: refers to an application or process running in the system_app of SELinux (or SEAndroid), such as a process running with system-level permissions or root permissions.\n- TCB: stands for Trusted Computing Base. It refers to all of a computer's protective devices, including hardware, firmware, software, and components that implement security policies. It ensures a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to parts of the kernel and drivers, or user services equivalent to the kernel, such as init and vold.\n- TEE: stands for Trusted Execution Environment. It co-exists with the Android system on a device. It is mainly used to provide the Android system with a running environment for security services such as trusted computing and storage.\n- ICE: stands for Independent Computing Environment. It refers to a function- and service-focused set of independent computing units, firmware and simple OS, such as a baseband modem.\n\n** Application for CVE IDs **\nl OPPO is the world's 100th CVE Numbering Authority (CNA). We can help security researchers who report vulnerabilities in OPPO products apply for CVE IDs.\nFor CVE application, you could send an application email to security@oppo.com. You need to list the following points in the email:\n- The name and Report ID of the vulnerability\n- The influence of the vulnerability\n- The type and the severity of the vulnerability\n- POC\n- The nickname and the email of the applicant\nOSRC Team will review their vulnerability reports in line with CVE requirements. If the review finds no problem, the OSRC will help the researchers apply for CVE IDs. \n\n** Repeated Vulnerability Reports **\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\n\n** Zero-Day Vulnerabilities **\n- We accepts zero-day (also known as 0-day) vulnerabilities found only in OPPO products and services.\n\n** General Vulnerability Review Principles for Third-Party Products **\n- Server-side vulnerabilities: including but not limited to vulnerabilities in the components of Tomcat and Apache being used by OPPO, OpenSSL, and third-party SDKs. For a reported vulnerability which becomes publicly known within one month following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability one month after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- Client-side vulnerabilities: including but not limited to Android-native vulnerabilities and common app vulnerabilities. For a reported vulnerability which becomes publicly known within three months following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability three months after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- For vulnerabilities resulting from the same source, in general only the first reporter will be rewarded and the vulnerabilities will be counted as one.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For different types of vulnerabilities in the same URL, only the reporter of the vulnerability that has the greatest impact will be rewarded.\n- Vulnerability reports should be as detailed and compliant as possible. The details of a reported vulnerability, its working principle and exploits, and fix recommendations affect the scoring of the vulnerability to some extent. For a reported vulnerability, the lack of PoC, exploit information, or analysis details will directly affect the scoring.\n- Reporting threats or intelligence already published online will be given no score.\n- The review results for a vulnerability are determined based on the level of difficulty in exploitation as well as the degree and scope of its impact.\n- Scanner results without proof of harm will be considered invalid.\n- If you use security testing as an excuse to exploit security intelligence to harm the interests of users, affect the normal operation of our services, publish information about vulnerabilities before they are fixed, or steal user data, you will receive no score. In addition, OPPO will reserve the right to take legal action.\n\n# Test Plan\n* Users can sign up for a free account through our website\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com)\n* OPPO generally do not provide sample devices for testing; researchers need to purchase the devices themselves.\n* We currently only accept files smaller than 20MB in the following formats: doc, docx, 7z, zip, gz, bz2, excel.\n* OPPO and realme employees (including both regular and outsourced employees) and their immediate family members cannot participate in this reward scheme.\n\n10. Clause Interpretation\n\nThe OSRC reserves the right to interpret all the above clauses.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as:\n* “X-HackerOne-Research: [H1 username]”\n\n#Prohibitions\n- OPPO opposes and condemns all hacking activities that use vulnerability testing as an excuse to exploit security vulnerabilities to harm users' interests. These activities include but are not limited to stealing user information, hacking production systems, modifying and stealing relevant system information, and maliciously spreading vulnerabilities or data. For details, see the SRC Security Test Specifications. For the above-mentioned behaviors, OPPO will pursue legal support and hold relevant people accountable in accordance with law.\n\nThank you for helping keep OPPO and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"** Repeated Vulnerability Reports **\\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-04T06:11:42.849Z"},{"id":3751178,"new_policy":"Here are web application and mobile app standard details.\nOPPO only accept vulnerability from properties that belongs to us. We divided them into core properties and non-core properties.** Core Web Properties **\n\n| Brand | Services in the Core properties |\n| :---- | :---- | \n| OPPO |OPPO\tBreeno, OPPO Store, Mini Videos, Lock Screen Magazine, Browser, Global Search\t, App Market, Videos, My OPPO, Quick Games, Game Assistant, Game Center\t, HeyTap Cloud, Theme Store, Find My Phone, Community, Wallet, Smart Home, Quick Apps, Health\n\n** Non-Core Properties **\nNon-core properties refers to OPPO-owned assets that are not in the scope of core properties.\n\n** Scoring Rules of Web App and Mobile App **\n** 1. Web App Security Vulnerabilities **\n\n| Level | Example of Vulnerability and Impact |\n|-----------|--------------------------------------|\n| Critical | Including but not limited to: \n1. Directly obtain permissions to servers that host important data and processes as well as other important data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions. \n2. Serious leakages of sensitive information, including but not limited to SQL injection in core databases (relating to funding, user identity, and transaction) and interface problems which allow individuals to obtain the identity information, order information, and bank card information of large numbers of key users.\n3. Serious logic design flaws and process flaws, including but not limited to interface problems allowing individuals to consume the money in any bank account, log in to any OPPO account, and change the password of any OPPO account. |\n| High | Including but not limited to: \n1. Directly obtain permissions to servers that host general data and processes as well as other general data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions. \n2. Leakages of sensitive information, including but limited to SQL injection in non-core databases, leakage of source code packages, reversible server application encryption or storage of passwords as plain text, hard coding, and GitHub sensitive information leakage (including but not limited to the leakage of key server accounts and their passwords). \n3. Unauthorized access to sensitive information, including but not limited to direct access to the backend by bypassing authentication, weak backend passwords, and Server-side Request Forgery (SSRF) enabling individuals to obtain large amounts of sensitive Intranet data. \n4. Unauthorized manipulation of sensitive data, including but not limited to modification of important information, manipulation of orders, and modification of important configurations through an unauthorized account.\n 5. Other vulnerabilities that affect users on a large scale, including but not limited to Stored XSS on important pages that can cause automatic spread of and allow acquisition of authentication credentials (cookies). |\n| Moderate | Including but not limited to: \n 1. Vulnerabilities that can affect users only through interaction, including but not limited to Stored XSS to general web pages and major Cross-site Request Forgery (CSRF) vulnerabilities. All vulnerability descriptions must provide the proof of the harm to other users. \n2. Ordinary unauthorized operations, including but not limited to bypassing restrictions to modify user information and perform user operations. \n3. Leakages of ordinary information, including but not limited to web path traversal, system path traversal, and plain-text password transmission over the HTTP when a HeyTap account is used for sign-in.\n4. Ordinary logic design flaws and process flaws, including but not limited to flaws in the verification code logic for important systems that cause the verification and relevant restrictions to be bypassed, leading to credential stuffing attacks. \n5. Unrestricted brute-force attacks on important account systems. |\n| Low | Including but not limited to:\n1. Vulnerabilities allowing individuals to access user identity information only in specific unpopular browser environments (for example, IE6). Such vulnerabilities include but are not limited to Reflected XSS (including Reflected DOM-based XSS) and Stored XSS in ordinary properties. \n2. Minor information leakages, including but not limited to leakage of path information, SVN information, PHP information, exceptions information and configuration settings, log printing and plain-text password transmission over HTTP when a non-HeyTap account is used for sign-in. \n3. Unauthorized access, including but not limited to client-side active defense bypass and OPPO URL redirection vulnerabilities. (Note that redirecting an OPPO URL to a normal website is not considered a vulnerability. If PoC for URL redirection shows that an OPPO URL can be redirected to any domain doesn't belong to OPPO without any prompts displayed, then there is a vulnerability. Otherwise no vulnerability exists.)\n 4. Vulnerabilities that are difficult to exploit but may cause security risks. Such vulnerabilities include but are not limited to Self-XSS that may cause the spread and exploitation of XSS, JSON Hijacking that has obtained sensitive information, clickjacking on input web pages containing sensitive information (a valid exploit must be provided in the vulnerability details), CSRF attacks involving unimportant sensitive information, and remote code execution through man-in-the-middle (MITM) attacks (valid PoC must be provided in the vulnerability details). \n5. Other vulnerabilities that can only cause slight impact. Such vulnerabilities include but are not limited to inappropriate configuration settings for system/service maintenance and operations and vulnerabilities in component-level permissions. \n6. Verification code message/email bombing, which means that a single IP or user keeps sending more than 50 verification code messages/emails to the same mobile number/email box within 30 minutes. (Note: Reported problems wherein the same interface is used to send one verification code message/email to an unlimited number of mobile numbers or email boxes will be ignored.) |\n| NSI | Including but not limited to: \n1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, directory traversal that has caused the leakage of meaningless or non-sensitive information, and application compatibility issues. \n2. Vulnerabilities that cannot be exploited, including but not limited to a scanner's meaningless vulnerability reports (such as a report on a low web server version), meaningless XSS (such as Self-XSS attacks), XSS that uses social engineering or phishing, POST based XSS, JSON hijacking involving no sensitive information, leaking of meaningless exception information, leaking of IP addresses or domain names in the intranet, meaningless clickjacking, HTTP request smuggling, obtaining the user's cookies by exploiting unconfigured CORS during user interaction, and brute-force attacks that cannot be further exploited. \n3. CSRF attacks involving no sensitive information, including but not limited to adding items to or deleting items from an online shopping cart, as well as executing actions on an online forum such as logging out of an account, giving likes, following others, publishing posts, making comments, and sending flowers. \n4. Traversals and leakages of non-sensitive information. Such information includes but is not limited to middleware version and non-sensitive information. \n5. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses.\n6. Cracking of 6-digit verification codes by distributed equipment. \n7. Other vulnerabilities with extremely low risks. |\nNotes:\n① A weak backend password vulnerability can be rated as moderate at most if the attacker accesses no sensitive information or performs no sensitive operations after logging in to the backend with the weak password. \n② In principle, vulnerabilities detected at the backend will be downgraded.\n③ Only vulnerabilities directly resulting in denial-of-service (DoS) attacks will be accepted. The ratings of such vulnerabilities depend on the vulnerability itself and the way it is exploited. High-traffic, high-concurrency DoS vulnerabilities will not be accepted.\n④ The exploitation of vulnerabilities includes but is not limited to exploiting web vulnerabilities such as XSS and URL redirection to attack apps, and such vulnerabilities are rated as moderate. Newly discovered exploitation circumstances can be escalated as appropriate.\n⑤ Types of vulnerabilities that will not be accepted:\n+ Recently disclosed 0-day vulnerabilities(a researcher should wait around 30 days of cool down period to report).\n+ Disclosure of known public files or directories.\n+ Use of a known-vulnerable library without a description of an exploit specific to our implementation.\n+ OPTIONS / TRACE HTTP method enabled.\n+ Login/logout/unauthenticated/low-impact CSRF\n+ Software version disclosure.\n+ Cookies that keep working after logout.\n+ Presence of autocomplete attribute on web forms.\n+ Cookies that lack HTTP Only or Secure settings for non-sensitive data.\n+ Self-XSS and issues exploitable only through Self-XSS.\n+ Reports generated from automatic tools or scans.\n+ Issues related to network protocols or industry standards.\n+ Username enumeration based on login, forgot password, account creation and registration pages.\n+ Enforcement policies for brute force or account lockout.\n+ Unsecured SSL/TLS or SSH configurations.\n+ Unrealistically impractical complex clickjacking.\n+ Mail configuration issues including SPF, DKIM, DMARC settings.\n+ Password or account recovery policies, such as reset link expiration or password complexity.\n+ Publicly accessible login panels.\n+ Lack of email verification when registering an account.\n+ Use of a known-vulnerable library (without proof of exploitability).\n+ Content spoofing / text injection.\n+ Missing security headers.\n+ Mixed content issues.\n+ Issues related to active sessions after password changes.\n+ Hyperlink injection in emails using forms available to any user.\n+ Reports of credentials exposed by other data breaches / known credential lists.\n+ Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard.l presence/misconfiguration in these.\n+ Man-in-the-Middle attacks, except for sensitive information such as passwords.\n+ Functional product defects, garbled pages, style mixing, file path traversals that do not cause impact to OPPO.\n⑥ Definitions and levels of sensitive information:\n\n| Types of Sensitive Information | Level |\n|--------------------------------|---------|\n| **Type:** Sensitive personal information of users \n**Description:** Sensitive personal information of users is all kinds of information recorded in relation to identified or identifiable natural persons (excluding anonymized information), including but not limited to: personal biometric information, personal identification information, specific identification information, personal financial property information, personal medical and health information, children's personal information, as well as personal communications, contacts, and locations. | **Critical:** It may cause the leak of over 1 million sensitive information items in combination of 3 types of personal information or over 3 million sensitive information items in combination of 2 types of personal information. \n**High:** It may cause the leak of over 100,000 sensitive information items in combination of 3 types of personal information or over 300,000 sensitive information items in combination of 2 types of personal information. |\n| **Type:** Sensitive information of employees \n**Description:** Sensitive information of employees includes but is not limited to their: ID card number and address, medical reports, salary related data, bank account number, home address, contact information of family members, religious beliefs, and marriage records. | **Critical:** It may cause the leak of over 60,000 sensitive information items in combination of 3 types of personal information or over 80,000 sensitive information items in combination of 2 types of personal information. \n**High:** It may cause the leak of over 30,000 sensitive information items in combination of 3 types of personal information or over 50,000 sensitive information items in combination of 2 types of personal information. |\n| **Type:** Other \n **Description:** Other sensitive information leaks are assessed based on the actual harm caused. | N/A |\nNotes:\n- The above employees refer to the employees of the Oplus Group, excluding employees of its agents and suppliers.\n- The above quantities are used for general reference only and can be appropriately adjusted based on factors such as the importance of the system, the scale of data hosted by the system, and the importance of sensitive information.\n\n\n** 2. Mobile App Security Vulnerabilities **\nThis type of security vulnerability mainly refers to those in mobile devices powered by ColorOS. It includes security vulnerabilities in ColorOS built-ins and security vulnerabilities in OPPO's proprietary apps available in the App Market.\n\n| Level | Example of Vulnerability and Impact |\n|-----------|--------------------------------------|\n| Critical | Including but not limited to: \n1. Remote code execution (RCE): The attacker is able to remotely execute arbitrary code with the app permissions, including but not limited to a remote memory corruption vulnerability (complete exploit information should be provided), a code execution vulnerability caused by overwriting a dynamic library, and other RCE vulnerabilities caused by logic issues. \n2. Remote silent installation of any app: The attacker installs any app remotely or through low-level user interaction.\n3. Other severe logic vulnerabilities that can be exploited remotely: including but not limited to remote account takeover, lock screen bypass, money transfer, and other attacks that severely endanger a user's account or asset. |\n| High | Including but not limited to: \n 1. Arbitrary code execution (ACE): The attacker locally executes arbitrary code with the app permissions, including but not limited to a local memory corruption vulnerability (complete exploit information should be provided), a code execution vulnerability caused by overwriting a dynamic library, and other ACE vulnerabilities caused by logic issues. \n 2. Sensitive information leakages: The attacker obtains sensitive information on an app or device locally or through low-level user interaction. Such sensitive information includes login credentials, SMS messages, call history, contacts, browsing history, and other sensitive information in the private app directory. \n3. Privilege escalation vulnerabilities: Such vulnerabilities allow individuals to gain elevated access to an app to perform dangerous operations, including but not limited to launching any protected component of the app, enabling silent installation of any app, modifying the security and privacy settings of the app, and making silent calls or sending silent SMS messages through the app permissions. \n4. Other severe logic vulnerabilities: including but not limited to account takeover, lock screen bypass, money transfer, and other acts that are performed locally or through low-level user interaction and severely endanger a user's account or asset. \n5. Vulnerabilities able to break the site isolation restrictions of a browser, including but not limited to UXSS. |\n| Moderate | Including but not limited to: \n1. Arbitrary code execution or silent installation by staging MITM attacks (valid PoC must be provided in the vulnerability details). \n2. Leakages of common information, including but not limited to the leakage of IMEI, IMSI, mobile number, and other common user information.\n3. Remote denial of service vulnerability. |\n| Low | Including but not limited to: \n1. Stealing of sensitive information by staging MITM attacks (valid PoC must be provided in the vulnerability details).\n2. UI deception vulnerabilities that may cause actual harm. The risk level for this kind of vulnerability can be defined based on the actual harm. |\n| NSI | Including but not limited to: \n 1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, static directory traversals, and application compatibility issues. \n2. Vulnerabilities of no significance, including but not limited to a scanner's meaningless vulnerability reports (such as an automatic app analysis report on code decompilation and lack of security reinforcement). \n3. Vulnerabilities that result from necessary risky permissions but cannot be exploited. Such vulnerabilities include but are not limited to necessary component exposures, such as activity export. \n4. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses. \n 5. Local denial-of-service vulnerabilities: Bugs that can only be launched locally on the phone and cause apps to crash temporarily without leading to further security issues. \n 6. Other vulnerabilities with extremely low risks. |\n\nNotes\nThe following explains concepts involved in, for example, mobile app security vulnerabilities that can be triggered only through actions such as inducing a user to click a link or phishing email, or to install malicious software:\nRemote(ly): An online attack requires no physical contact with a user's mobile phone. Usually the attacker uses a browser, IM software or SMS messages to launch an attack.\nLocal(ly): It is necessary for the attacker to induce the victim to install malicious apps on the phone, or the attacker directly uses ADB commands, NFC, Bluetooth, or any other function to launch an attack.\nLow-level user interaction: specific to scenarios where a security vulnerability can be triggered just by clicking on a link.\nHigh-level user interaction: specific to scenarios where a security vulnerability can be triggered after an induced user installs a malicious app, clicks a phishing email, or clicks to confirm twice or more, or after a risk prompt is displayed.\n\n# Special Notes of Mobile Devices Scoring Rules\n** Concepts Involved in Mobile Phone Security Vulnerabilities **\n- Remote: The attacker exploits vulnerabilities to launch an attack without installing the app concerned or without physical contact with the victim's device, such as by browsing web pages, reading SMS or MMS messages, receiving or sending emails, downloading files, or having wireless network communications (excluding communication with a distance of less than 10 cm).\n- Local: The attacker exploits vulnerabilities to launch an attack. This kind of attack needs relevant apps to be installed in the victim's system or the attacker needs physical contact with the victim's system and the communication distance must be less than 10 cm.\n- Constrained process: Such a process is subject to stricter permission restrictions than a normal app process, and runs in a strictly restricted domain such as SELinux or SEAndroid.\n- Normal app process: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application/process or built-in application/process without system-level permissions.\n- Privileged process: refers to an application or process running in the system_app of SELinux (or SEAndroid), such as a process running with system-level permissions or root permissions.\n- TCB: stands for Trusted Computing Base. It refers to all of a computer's protective devices, including hardware, firmware, software, and components that implement security policies. It ensures a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to parts of the kernel and drivers, or user services equivalent to the kernel, such as init and vold.\n- TEE: stands for Trusted Execution Environment. It co-exists with the Android system on a device. It is mainly used to provide the Android system with a running environment for security services such as trusted computing and storage.\n- ICE: stands for Independent Computing Environment. It refers to a function- and service-focused set of independent computing units, firmware and simple OS, such as a baseband modem.\n\n** Application for CVE IDs **\nl OPPO is the world's 100th CVE Numbering Authority (CNA). We can help security researchers who report vulnerabilities in OPPO products apply for CVE IDs.\nFor CVE application, you could send an application email to security@oppo.com. You need to list the following points in the email:\n- The name and Report ID of the vulnerability\n- The influence of the vulnerability\n- The type and the severity of the vulnerability\n- POC\n- The nickname and the email of the applicant\nOSRC Team will review their vulnerability reports in line with CVE requirements. If the review finds no problem, the OSRC will help the researchers apply for CVE IDs. \n\n** Repeated Vulnerability Reports **\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\n\n** Zero-Day Vulnerabilities **\n- We accepts zero-day (also known as 0-day) vulnerabilities found only in OPPO products and services.\n\n** General Vulnerability Review Principles for Third-Party Products **\n- Server-side vulnerabilities: including but not limited to vulnerabilities in the components of Tomcat and Apache being used by OPPO, OpenSSL, and third-party SDKs. For a reported vulnerability which becomes publicly known within one month following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability one month after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- Client-side vulnerabilities: including but not limited to Android-native vulnerabilities and common app vulnerabilities. For a reported vulnerability which becomes publicly known within three months following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability three months after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- For vulnerabilities resulting from the same source, in general only the first reporter will be rewarded and the vulnerabilities will be counted as one.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For different types of vulnerabilities in the same URL, only the reporter of the vulnerability that has the greatest impact will be rewarded.\n- Vulnerability reports should be as detailed and compliant as possible. The details of a reported vulnerability, its working principle and exploits, and fix recommendations affect the scoring of the vulnerability to some extent. For a reported vulnerability, the lack of PoC, exploit information, or analysis details will directly affect the scoring.\n- Reporting threats or intelligence already published online will be given no score.\n- The review results for a vulnerability are determined based on the level of difficulty in exploitation as well as the degree and scope of its impact.\n- Scanner results without proof of harm will be considered invalid.\n- If you use security testing as an excuse to exploit security intelligence to harm the interests of users, affect the normal operation of our services, publish information about vulnerabilities before they are fixed, or steal user data, you will receive no score. In addition, OPPO will reserve the right to take legal action.\n\n# Test Plan\n* Users can sign up for a free account through our website\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com)\n* OPPO generally do not provide sample devices for testing; researchers need to purchase the devices themselves.\n* We currently only accept files smaller than 20MB in the following formats: doc, docx, 7z, zip, gz, bz2, excel.\n* OPPO and realme employees (including both regular and outsourced employees) and their immediate family members cannot participate in this reward scheme.\n\n10. Clause Interpretation\n\nThe OSRC reserves the right to interpret all the above clauses.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as:\n* “X-HackerOne-Research: [H1 username]”\n\n#Prohibitions\n- OPPO opposes and condemns all hacking activities that use vulnerability testing as an excuse to exploit security vulnerabilities to harm users' interests. These activities include but are not limited to stealing user information, hacking production systems, modifying and stealing relevant system information, and maliciously spreading vulnerabilities or data. For details, see the SRC Security Test Specifications. For the above-mentioned behaviors, OPPO will pursue legal support and hold relevant people accountable in accordance with law.\n\nThank you for helping keep OPPO and our users safe!\n","has_open_scope":null,"pays_within_one_month":true,"protected_by_gold_standard_safe_harbor":true,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":"","platform_standards_exclusions":["{\"platform_standard\":\"MULTIPLE_REPORTS_HIGHLIGHTING_SYSTEMIC_ISSUES\",\"justification\":\"** Repeated Vulnerability Reports **\\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\"}"],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-03-04T03:19:08.980Z"},{"id":3750216,"new_policy":"Here are web application and mobile app standard details.\nOPPO only accept vulnerability from properties that belongs to us. We divided them into core properties and non-core properties.** Core Web Properties **\n\n| Brand | Services in the Core properties |\n| :---- | :---- | \n| OPPO |OPPO\tBreeno, OPPO Store, Mini Videos, Lock Screen Magazine, Browser, Global Search\t, App Market, Videos, My OPPO, Quick Games, Game Assistant, Game Center\t, HeyTap Cloud, Theme Store, Find My Phone, Community, Wallet, Smart Home, Quick Apps, Health\n\n** Non-Core Properties **\nNon-core properties refers to OPPO-owned assets that are not in the scope of core properties.\n\n** Scoring Rules of Web App and Mobile App **\n** 1. Web App Security Vulnerabilities **\n\n| Level | Example of Vulnerability and Impact |\n|-----------|--------------------------------------|\n| Critical | Including but not limited to: \u003cbr\u003e 1. Directly obtain permissions to servers that host important data and processes as well as other important data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions. \u003cbr\u003e 2. Serious leakages of sensitive information, including but not limited to SQL injection in core databases (relating to funding, user identity, and transaction) and interface problems which allow individuals to obtain the identity information, order information, and bank card information of large numbers of key users. \u003cbr\u003e 3. Serious logic design flaws and process flaws, including but not limited to interface problems allowing individuals to consume the money in any bank account, log in to any OPPO account, and change the password of any OPPO account. |\n| High | Including but not limited to: \u003cbr\u003e 1. Directly obtain permissions to servers that host general data and processes as well as other general data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions. \u003cbr\u003e 2. Leakages of sensitive information, including but limited to SQL injection in non-core databases, leakage of source code packages, reversible server application encryption or storage of passwords as plain text, hard coding, and GitHub sensitive information leakage (including but not limited to the leakage of key server accounts and their passwords). \u003cbr\u003e 3. Unauthorized access to sensitive information, including but not limited to direct access to the backend by bypassing authentication, weak backend passwords, and Server-side Request Forgery (SSRF) enabling individuals to obtain large amounts of sensitive Intranet data. \u003cbr\u003e 4. Unauthorized manipulation of sensitive data, including but not limited to modification of important information, manipulation of orders, and modification of important configurations through an unauthorized account. \u003cbr\u003e 5. Other vulnerabilities that affect users on a large scale, including but not limited to Stored XSS on important pages that can cause automatic spread of and allow acquisition of authentication credentials (cookies). |\n| Moderate | Including but not limited to: \u003cbr\u003e 1. Vulnerabilities that can affect users only through interaction, including but not limited to Stored XSS to general web pages and major Cross-site Request Forgery (CSRF) vulnerabilities. All vulnerability descriptions must provide the proof of the harm to other users. \u003cbr\u003e 2. Ordinary unauthorized operations, including but not limited to bypassing restrictions to modify user information and perform user operations. \u003cbr\u003e 3. Leakages of ordinary information, including but not limited to web path traversal, system path traversal, and plain-text password transmission over the HTTP when a HeyTap account is used for sign-in. \u003cbr\u003e 4. Ordinary logic design flaws and process flaws, including but not limited to flaws in the verification code logic for important systems that cause the verification and relevant restrictions to be bypassed, leading to credential stuffing attacks. \u003cbr\u003e 5. Unrestricted brute-force attacks on important account systems. |\n| Low | Including but not limited to: \u003cbr\u003e 1. Vulnerabilities allowing individuals to access user identity information only in specific unpopular browser environments (for example, IE6). Such vulnerabilities include but are not limited to Reflected XSS (including Reflected DOM-based XSS) and Stored XSS in ordinary properties. \u003cbr\u003e 2. Minor information leakages, including but not limited to leakage of path information, SVN information, PHP information, exceptions information and configuration settings, log printing and plain-text password transmission over HTTP when a non-HeyTap account is used for sign-in. \u003cbr\u003e 3. Unauthorized access, including but not limited to client-side active defense bypass and OPPO URL redirection vulnerabilities. (Note that redirecting an OPPO URL to a normal website is not considered a vulnerability. If PoC for URL redirection shows that an OPPO URL can be redirected to any domain doesn't belong to OPPO without any prompts displayed, then there is a vulnerability. Otherwise no vulnerability exists.) \u003cbr\u003e 4. Vulnerabilities that are difficult to exploit but may cause security risks. Such vulnerabilities include but are not limited to Self-XSS that may cause the spread and exploitation of XSS, JSON Hijacking that has obtained sensitive information, clickjacking on input web pages containing sensitive information (a valid exploit must be provided in the vulnerability details), CSRF attacks involving unimportant sensitive information, and remote code execution through man-in-the-middle (MITM) attacks (valid PoC must be provided in the vulnerability details). \u003cbr\u003e 5. Other vulnerabilities that can only cause slight impact. Such vulnerabilities include but are not limited to inappropriate configuration settings for system/service maintenance and operations and vulnerabilities in component-level permissions. \u003cbr\u003e 6. Verification code message/email bombing, which means that a single IP or user keeps sending more than 50 verification code messages/emails to the same mobile number/email box within 30 minutes. (Note: Reported problems wherein the same interface is used to send one verification code message/email to an unlimited number of mobile numbers or email boxes will be ignored.) |\n| NSI | Including but not limited to: \u003cbr\u003e 1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, directory traversal that has caused the leakage of meaningless or non-sensitive information, and application compatibility issues. \u003cbr\u003e 2. Vulnerabilities that cannot be exploited, including but not limited to a scanner's meaningless vulnerability reports (such as a report on a low web server version), meaningless XSS (such as Self-XSS attacks), XSS that uses social engineering or phishing, POST based XSS, JSON hijacking involving no sensitive information, leaking of meaningless exception information, leaking of IP addresses or domain names in the intranet, meaningless clickjacking, HTTP request smuggling, obtaining the user's cookies by exploiting unconfigured CORS during user interaction, and brute-force attacks that cannot be further exploited. \u003cbr\u003e 3. CSRF attacks involving no sensitive information, including but not limited to adding items to or deleting items from an online shopping cart, as well as executing actions on an online forum such as logging out of an account, giving likes, following others, publishing posts, making comments, and sending flowers. \u003cbr\u003e 4. Traversals and leakages of non-sensitive information. Such information includes but is not limited to middleware version and non-sensitive information. \u003cbr\u003e 5. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses. \u003cbr\u003e 6. Cracking of 6-digit verification codes by distributed equipment. \u003cbr\u003e 7. Other vulnerabilities with extremely low risks. |\nNotes:\n① A weak backend password vulnerability can be rated as moderate at most if the attacker accesses no sensitive information or performs no sensitive operations after logging in to the backend with the weak password. \n② In principle, vulnerabilities detected at the backend will be downgraded.\n③ Only vulnerabilities directly resulting in denial-of-service (DoS) attacks will be accepted. The ratings of such vulnerabilities depend on the vulnerability itself and the way it is exploited. High-traffic, high-concurrency DoS vulnerabilities will not be accepted.\n④ The exploitation of vulnerabilities includes but is not limited to exploiting web vulnerabilities such as XSS and URL redirection to attack apps, and such vulnerabilities are rated as moderate. Newly discovered exploitation circumstances can be escalated as appropriate.\n⑤ Types of vulnerabilities that will not be accepted:\n+ Recently disclosed 0-day vulnerabilities(a researcher should wait around 30 days of cool down period to report).\n+ Disclosure of known public files or directories.\n+ Use of a known-vulnerable library without a description of an exploit specific to our implementation.\n+ OPTIONS / TRACE HTTP method enabled.\n+ Login/logout/unauthenticated/low-impact CSRF\n+ Software version disclosure.\n+ Cookies that keep working after logout.\n+ Presence of autocomplete attribute on web forms.\n+ Cookies that lack HTTP Only or Secure settings for non-sensitive data.\n+ Self-XSS and issues exploitable only through Self-XSS.\n+ Reports generated from automatic tools or scans.\n+ Issues related to network protocols or industry standards.\n+ Username enumeration based on login, forgot password, account creation and registration pages.\n+ Enforcement policies for brute force or account lockout.\n+ Unsecured SSL/TLS or SSH configurations.\n+ Unrealistically impractical complex clickjacking.\n+ Mail configuration issues including SPF, DKIM, DMARC settings.\n+ Password or account recovery policies, such as reset link expiration or password complexity.\n+ Publicly accessible login panels.\n+ Lack of email verification when registering an account.\n+ Use of a known-vulnerable library (without proof of exploitability).\n+ Content spoofing / text injection.\n+ Missing security headers.\n+ Mixed content issues.\n+ Issues related to active sessions after password changes.\n+ Hyperlink injection in emails using forms available to any user.\n+ Reports of credentials exposed by other data breaches / known credential lists.\n+ Lack of crossdomain.xml, p3p.xml, robots.txt or any other policy files and/or wildcard.l presence/misconfiguration in these.\n+ Man-in-the-Middle attacks, except for sensitive information such as passwords.\n+ Functional product defects, garbled pages, style mixing, file path traversals that do not cause impact to OPPO.\n⑥ Definitions and levels of sensitive information:\n\n| Types of Sensitive Information | Level |\n|--------------------------------|---------|\n| **Type:** Sensitive personal information of users \u003cbr\u003e **Description:** Sensitive personal information of users is all kinds of information recorded in relation to identified or identifiable natural persons (excluding anonymized information), including but not limited to: personal biometric information, personal identification information, specific identification information, personal financial property information, personal medical and health information, children's personal information, as well as personal communications, contacts, and locations. | **Critical:** It may cause the leak of over 1 million sensitive information items in combination of 3 types of personal information or over 3 million sensitive information items in combination of 2 types of personal information. \u003cbr\u003e **High:** It may cause the leak of over 100,000 sensitive information items in combination of 3 types of personal information or over 300,000 sensitive information items in combination of 2 types of personal information. |\n| **Type:** Sensitive information of employees \u003cbr\u003e **Description:** Sensitive information of employees includes but is not limited to their: ID card number and address, medical reports, salary related data, bank account number, home address, contact information of family members, religious beliefs, and marriage records. | **Critical:** It may cause the leak of over 60,000 sensitive information items in combination of 3 types of personal information or over 80,000 sensitive information items in combination of 2 types of personal information. \u003cbr\u003e **High:** It may cause the leak of over 30,000 sensitive information items in combination of 3 types of personal information or over 50,000 sensitive information items in combination of 2 types of personal information. |\n| **Type:** Other \u003cbr\u003e **Description:** Other sensitive information leaks are assessed based on the actual harm caused. | N/A |\nNotes:\n- The above employees refer to the employees of the Oplus Group, excluding employees of its agents and suppliers.\n- The above quantities are used for general reference only and can be appropriately adjusted based on factors such as the importance of the system, the scale of data hosted by the system, and the importance of sensitive information.\n\n\n** 2. Mobile App Security Vulnerabilities **\nThis type of security vulnerability mainly refers to those in mobile devices powered by ColorOS. It includes security vulnerabilities in ColorOS built-ins and security vulnerabilities in OPPO's proprietary apps available in the App Market.\n\n| Level | Example of Vulnerability and Impact |\n|-----------|--------------------------------------|\n| Critical | Including but not limited to: \u003cbr\u003e 1. Remote code execution (RCE): The attacker is able to remotely execute arbitrary code with the app permissions, including but not limited to a remote memory corruption vulnerability (complete exploit information should be provided), a code execution vulnerability caused by overwriting a dynamic library, and other RCE vulnerabilities caused by logic issues. \u003cbr\u003e 2. Remote silent installation of any app: The attacker installs any app remotely or through low-level user interaction. \u003cbr\u003e 3. Other severe logic vulnerabilities that can be exploited remotely: including but not limited to remote account takeover, lock screen bypass, money transfer, and other attacks that severely endanger a user's account or asset. |\n| High | Including but not limited to: \u003cbr\u003e 1. Arbitrary code execution (ACE): The attacker locally executes arbitrary code with the app permissions, including but not limited to a local memory corruption vulnerability (complete exploit information should be provided), a code execution vulnerability caused by overwriting a dynamic library, and other ACE vulnerabilities caused by logic issues. \u003cbr\u003e 2. Sensitive information leakages: The attacker obtains sensitive information on an app or device locally or through low-level user interaction. Such sensitive information includes login credentials, SMS messages, call history, contacts, browsing history, and other sensitive information in the private app directory. \u003cbr\u003e 3. Privilege escalation vulnerabilities: Such vulnerabilities allow individuals to gain elevated access to an app to perform dangerous operations, including but not limited to launching any protected component of the app, enabling silent installation of any app, modifying the security and privacy settings of the app, and making silent calls or sending silent SMS messages through the app permissions. \u003cbr\u003e 4. Other severe logic vulnerabilities: including but not limited to account takeover, lock screen bypass, money transfer, and other acts that are performed locally or through low-level user interaction and severely endanger a user's account or asset. \u003cbr\u003e 5. Vulnerabilities able to break the site isolation restrictions of a browser, including but not limited to UXSS. |\n| Moderate | Including but not limited to: \u003cbr\u003e 1. Arbitrary code execution or silent installation by staging MITM attacks (valid PoC must be provided in the vulnerability details). \u003cbr\u003e 2. Leakages of common information, including but not limited to the leakage of IMEI, IMSI, mobile number, and other common user information. \u003cbr\u003e 3. Remote denial of service vulnerability. |\n| Low | Including but not limited to: \u003cbr\u003e 1. Stealing of sensitive information by staging MITM attacks (valid PoC must be provided in the vulnerability details). \u003cbr\u003e 2. UI deception vulnerabilities that may cause actual harm. The risk level for this kind of vulnerability can be defined based on the actual harm. |\n| NSI | Including but not limited to: \u003cbr\u003e 1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, static directory traversals, and application compatibility issues. \u003cbr\u003e 2. Vulnerabilities of no significance, including but not limited to a scanner's meaningless vulnerability reports (such as an automatic app analysis report on code decompilation and lack of security reinforcement). \u003cbr\u003e 3. Vulnerabilities that result from necessary risky permissions but cannot be exploited. Such vulnerabilities include but are not limited to necessary component exposures, such as activity export. \u003cbr\u003e 4. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses. \u003cbr\u003e 5. Local denial-of-service vulnerabilities: Bugs that can only be launched locally on the phone and cause apps to crash temporarily without leading to further security issues. \u003cbr\u003e 6. Other vulnerabilities with extremely low risks. |\n\nNotes\nThe following explains concepts involved in, for example, mobile app security vulnerabilities that can be triggered only through actions such as inducing a user to click a link or phishing email, or to install malicious software:\nRemote(ly): An online attack requires no physical contact with a user's mobile phone. Usually the attacker uses a browser, IM software or SMS messages to launch an attack.\nLocal(ly): It is necessary for the attacker to induce the victim to install malicious apps on the phone, or the attacker directly uses ADB commands, NFC, Bluetooth, or any other function to launch an attack.\nLow-level user interaction: specific to scenarios where a security vulnerability can be triggered just by clicking on a link.\nHigh-level user interaction: specific to scenarios where a security vulnerability can be triggered after an induced user installs a malicious app, clicks a phishing email, or clicks to confirm twice or more, or after a risk prompt is displayed.\n\n# Special Notes of Mobile Devices Scoring Rules\n** Concepts Involved in Mobile Phone Security Vulnerabilities **\n- Remote: The attacker exploits vulnerabilities to launch an attack without installing the app concerned or without physical contact with the victim's device, such as by browsing web pages, reading SMS or MMS messages, receiving or sending emails, downloading files, or having wireless network communications (excluding communication with a distance of less than 10 cm).\n- Local: The attacker exploits vulnerabilities to launch an attack. This kind of attack needs relevant apps to be installed in the victim's system or the attacker needs physical contact with the victim's system and the communication distance must be less than 10 cm.\n- Constrained process: Such a process is subject to stricter permission restrictions than a normal app process, and runs in a strictly restricted domain such as SELinux or SEAndroid.\n- Normal app process: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application/process or built-in application/process without system-level permissions.\n- Privileged process: refers to an application or process running in the system_app of SELinux (or SEAndroid), such as a process running with system-level permissions or root permissions.\n- TCB: stands for Trusted Computing Base. It refers to all of a computer's protective devices, including hardware, firmware, software, and components that implement security policies. It ensures a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to parts of the kernel and drivers, or user services equivalent to the kernel, such as init and vold.\n- TEE: stands for Trusted Execution Environment. It co-exists with the Android system on a device. It is mainly used to provide the Android system with a running environment for security services such as trusted computing and storage.\n- ICE: stands for Independent Computing Environment. It refers to a function- and service-focused set of independent computing units, firmware and simple OS, such as a baseband modem.\n\n** Application for CVE IDs **\nl OPPO is the world's 100th CVE Numbering Authority (CNA). We can help security researchers who report vulnerabilities in OPPO products apply for CVE IDs.\nFor CVE application, you could send an application email to security@oppo.com. You need to list the following points in the email:\n- The name and Report ID of the vulnerability\n- The influence of the vulnerability\n- The type and the severity of the vulnerability\n- POC\n- The nickname and the email of the applicant\nOSRC Team will review their vulnerability reports in line with CVE requirements. If the review finds no problem, the OSRC will help the researchers apply for CVE IDs. \n\n** Repeated Vulnerability Reports **\n- Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.\n- For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.\n- For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.\n\n** Zero-Day Vulnerabilities **\n- We accepts zero-day (also known as 0-day) vulnerabilities found only in OPPO products and services.\n\n** General Vulnerability Review Principles for Third-Party Products **\n- Server-side vulnerabilities: including but not limited to vulnerabilities in the components of Tomcat and Apache being used by OPPO, OpenSSL, and third-party SDKs. For a reported vulnerability which becomes publicly known within one month following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability one month after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- Client-side vulnerabilities: including but not limited to Android-native vulnerabilities and common app vulnerabilities. For a reported vulnerability which becomes publicly known within three months following report submission, if OPPO has already received the vulnerability from another channel, OPPO will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability three months after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.\n- For vulnerabilities resulting from the same source, in general only the first reporter will be rewarded and the vulnerabilities will be counted as one.\n- If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For different types of vulnerabilities in the same URL, only the reporter of the vulnerability that has the greatest impact will be rewarded.\n- Vulnerability reports should be as detailed and compliant as possible. The details of a reported vulnerability, its working principle and exploits, and fix recommendations affect the scoring of the vulnerability to some extent. For a reported vulnerability, the lack of PoC, exploit information, or analysis details will directly affect the scoring.\n- Reporting threats or intelligence already published online will be given no score.\n- The review results for a vulnerability are determined based on the level of difficulty in exploitation as well as the degree and scope of its impact.\n- Scanner results without proof of harm will be considered invalid.\n- If you use security testing as an excuse to exploit security intelligence to harm the interests of users, affect the normal operation of our services, publish information about vulnerabilities before they are fixed, or steal user data, you will receive no score. In addition, OPPO will reserve the right to take legal action.\n\n# Test Plan\n* Users can sign up for a free account through our website\n* Please use your **hacker email alias** when testing (h1username@wearehackerone.com)\n* OPPO generally do not provide sample devices for testing; researchers need to purchase the devices themselves.\n* We currently only accept files smaller than 20MB in the following formats: doc, docx, 7z, zip, gz, bz2, excel.\n* OPPO and realme employees (including both regular and outsourced employees) and their immediate family members cannot participate in this reward scheme.\n\n10. Clause Interpretation\n\nThe OSRC reserves the right to interpret all the above clauses.\n\n# Session Layer: HTTP Headers\nResearchers should add headers to requests such as:\n* “X-HackerOne-Research: [H1 username]”\n\n#Prohibitions\n- OPPO opposes and condemns all hacking activities that use vulnerability testing as an excuse to exploit security vulnerabilities to harm users' interests. These activities include but are not limited to stealing user information, hacking production systems, modifying and stealing relevant system information, and maliciously spreading vulnerabilities or data. For details, see the SRC Security Test Specifications. For the above-mentioned behaviors, OPPO will pursue legal support and hold relevant people accountable in accordance with law.\n\nThank you for helping keep OPPO and our users safe!\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2025-02-14T06:52:20.165Z"}]