OnePlus opens up a bug bounty program called the OnePlus Security Response Center

XDA

By Arol Wright

Published Dec 20, 2019

The OnePlus Security Response Center is the company's bug bounty program for those interested in getting paid to find security vulnerabilities.

Cybersecurity is more important than ever as we go into a new decade that is sure to, again, radically change technology as we know it. And no matter how huge your developer team is or how thoroughly you test your software, some critical vulnerabilities and bugs still manage to cross the pond to stable software a lot of the time. This is why several companies, including Samsung, Google, and Huawei, have bug bounty programs that allow security researchers to have a go with the company's software and walk away with a very generous amount of cash if they manage to find any critical exploit. OnePlus is now joining this list of companies, as they promised earlier this year.

OnePlus has unveiled its own bug bounty program, which they are calling the OnePlus Security Response Center, or OneSCR for short. The premise is simple: If you (properly) find a vulnerability, you can get money in exchange for (properly) reporting it. The opening of this program comes nearly two years after the company disclosed a security breach in its payment portal, and one month after they disclosed a breach of customer data in the OnePlus Store.

This bug bounty program is a bit different compared to the equivalents from other companies, though, and this is because of payout amounts. While other companies are willing to offer several hundred thousand dollars for a very critical security vulnerability, OnePlus is offering up to $7,000 for what it deems to be the most critical threats, while smaller bugs will go as low as $50-$100. The Submission Policy page clarifies OnePlus' stance on responsible/coordinated disclosure, account interaction, disallowed attack methods, ineligible issues, and finally, the payments.

Here's the reward tier list:

Special cases: up to $7,000
Critical: $750 - $1,500
High: $250 - $750
Medium: $100 - $250
Low: $50 - $100

While $7,000 is a decent sum for some people, it is a very far cry from what other companies offer. With a company of OnePlus' size and scope - they've grown a lot larger since they launched the OnePlus One 5 years back - you'd expect payouts for such a program to be just a bit more generous. Nonetheless, we hope the program will help to improve the security of OnePlus products. You can submit bug reports here.

OnePlus also says they will collaborate with HackerOne, a hacker-powered bug bounty platform, to launch a pilot program in 2020, inviting select security researchers to test their systems against potential threats.

Source: OnePlus