OPPO
Bounty Range
$1 - $70
external program
OPPO
Program guidelines
At OPPO, we believe in the power of collaboration to enhance security. That’s why we are excited to publicly collect business vulnerability reports through our H1 initiative. With our extensive testing resources and a generous reward program, we aim to encourage ethical hackers and security researchers from around the globe to contribute to the safety of our products and services.
Fast PaymentEnsures payment within 1 month of receiving a vulnerability report. [https://docs.hackerone.com/en/articles/8490833-security-page#h_9c1fc6b7c0](
)
Gold Standard Safe HarborAdheres to Gold Standard Safe Harbor. [https://docs.hackerone.com/en/articles/8494525-gold-standard-safe-harbor-statement](
)
Top Response EfficiencyThis program's response efficiency is above 90%. [https://docs.hackerone.com/en/articles/8490880-response-target-indicators](
)
Managed by HackerOneCollaboration EnabledIncludes Retesting
12 hours Average time to first response
1 day, 10 hours Average time to triage
1 week, 4 days Average time to bounty
1 week, 6 days Average time from submission to bounty
1 month, 4 days Average time to resolution
Last updated on March 19, 2026. [/oppo_bbp/bounty_table_versions](View changes
)
Each severity lists the 90-day average bounty and the percentage of total resolved reports, if applicable.
LowAvg. bounty $2248.80% submissions
MediumAvg. bounty $16141.60% submissions
HighAvg. bounty $2,6638% submissions
CriticalAvg. bounty n/a1.60% submissions
LowAvg. bounty $2248.80% submissions
MediumAvg. bounty $16141.60% submissions
HighAvg. bounty $2,6638% submissions
CriticalAvg. bounty n/a1.60% submissions
Low Level Properties and Test environment
$1–$10
$10–$20
$30–$70
$70–$150
Mobile Properties
$20–$45
$230–$430
$2,900–$3,500
$5,000–$11,500
Moderate Level Properties
$10–$20
$45–$80
$150–$450
$450–$700
Extremely high properties
$20–$45
$230–$430
$2,900–$3,500
$5,000–$11,500
High Level Properties
$15–$30
$150–$300
$720–$1,200
$2,900–$4,300
OPPO categorizes all business operations into three levels of importance: Extremely High importance, High importance and Moderate importance. Note: We only accept vulnerabilities related to these business coefficients.
OPPO program on H1 currently accept vulnerabilities in the following areas : ** Web/App services Scope ** This type of security vulnerability mainly refers to those in mobile devices powered by ColorOS or realme UI. It includes security vulnerabilities in ColorOS or realme UI built-ins and security vulnerabilities in OPPO's and realme's proprietary apps available in the App Market.
For the scope of acceptance, please refer to: 🔹 Google Document (detailed domain/package name scope): https://docs.google.com/spreadsheets/d/1K2knhissfw817g_wLNQYJLGIn--j9HKHYBXsdALrD8Y/edit?usp=sharing
Notes: In addition, if other businesses nested within a certain coefficient business are involved, they will be calculated according to their actual belonging coefficients. For example, an high level property embedded within an open platform or mid level property nested within an e-commerce platform will be calculated based on the mid level property. The specific circumstances will be clarified by OSRC. The following explains concepts involved in, for example, mobile app security vulnerabilities that can be triggered only through actions such as inducing a user to click a link or phishing email, or to install malicious software: Remote(ly): An online attack requires no physical contact with a user's mobile phone. Usually the attacker uses a browser, IM software or SMS messages to launch an attack. Local(ly): It is necessary for the attacker to induce the victim to install malicious apps on the phone, or the attacker directly uses ADB commands, NFC, Bluetooth, or any other function to launch an attack. Low-level user interaction: specific to scenarios where a security vulnerability can be triggered just by clicking on a link. High-level user interaction: specific to scenarios where a security vulnerability can be triggered after an induced user installs a malicious app, clicks a phishing email, or clicks to confirm twice or more, or after a risk prompt is displayed.
** Mobile Devices Properties** Scope of Devices
Brand | Product Series | Models as of June | OPPO | Reno series | Reno8 Pro 5G, Reno8 5G, Reno9 5G, Reno9 Pro+ 5G, Reno9 Pro 5G, Reno9 5G, Reno10 Pro 5G, Reno10 5G, Reno10 Pro+ 5G, Reno11 Pro 5G, Reno11 5G, Reno12, Reno12 Pro | | Find series | Find N2, Find N2 Flip, Find X6, Find X6 Pro, Find N3, Find N3 Flip, Find X7, Find X7 Ultra | | K series | K9, K9 Pro, K9s, K10, K10 5G, Porsche-B | realme | GT series | realme GT7 Pro, realme GT7, realme GT7T, realme GT6, realme GT6T | | Number series | realme 15 Pro 5G, realme 15 5G, realme 15T | | P series | realme P3 Lite 5G, realme P4 Pro 5G, realme P4 5G, realme P1 speed | | Narzo series | NARZO 80 Lite 4G, Narzo 80 lite 5G, NARZO 80x 5G, NARZO 80 Pro 5G | | NOTE series | Note 70 | | C series | realme C75 5G, realme C71 | Note | The above list will be updated from time to time. Please stay tuned! If any new model is launched but not in the list, that model is also in the reward scope. | |
During the testing process, you may trigger certain test environment domains. However, as we currently do not have a clearly defined scope for testing domains, when a vulnerability you submit falls within the testing range, we will update you accordingly in the review results.
Thank you for your understanding!
Core Ineligible Findings are out of scope. [https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings](Learn more
)Category Exclusion details
This program has not committed to the following Platform Standards. As such the report severity or outcome may differ.
Last updated on March 4, 2026. [/oppo_bbp/policy_versions](View changes
)
OPPO’s commitment to global researcher collaboration significantly enhances product security. We welcome hackers worldwide to submit security vulnerability reports related to OPPO services. Your contributions will help enhance the security of OPPO's business and products. OPPO program on H1 currently accept vulnerabilities in the following areas :
Web/App services For the scope of acceptance, please refer to: 🔹 Google Document (detailed domain/package name scope): https://docs.google.com/spreadsheets/d/1K2knhissfw817g_wLNQYJLGIn--j9HKHYBXsdALrD8Y/edit?usp=sharing
Notes: In addition, if other businesses nested within a certain coefficient business are involved, they will be calculated according to their actual belonging coefficients. For example, an high level property embedded within an open platform or mid level property nested within an e-commerce platform will be calculated based on the mid level property. The specific circumstances will be clarified by OSRC.
Web Application Scoring Rules We have defined four levels for mobile phone security vulnerabilities based on the degree of their impact: Critical, High, Moderate, and Low.
Level | Example of Vulnerability and Impact | Bounty Range (USD) | Critical | Including but not limited to:1. Directly obtain permissions to servers that host important data and processes as well as other important data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions.2. Serious leakages of sensitive information, including but not limited to SQL injection in core databases (relating to funding, user identity, and transaction) and interface problems which allow individuals to obtain the identity information, order information, and bank card information of large numbers of key users.3. Serious logic design flaws and process flaws, including but not limited to interface problems allowing individuals to consume the money in any bank account, log in to any OPPO account, and change the password of any OPPO account. | Extremely High: 5000-11500High: 2900-4300 | High | Including but not limited to:1. Directly obtain permissions to servers that host general data and processes as well as other general data, including but not limited to remote command execution, arbitrary code execution, web shell upload for acquisition of web server permissions, SQL injection allowing individuals to obtain system permissions, and buffer overflows allowing individuals to obtain system permissions.2. Leakages of sensitive information, including but limited to SQL injection in non-core databases, leakage of source code packages, reversible server application encryption or storage of passwords as plain text, hard coding, and GitHub sensitive information leakage (including but not limited to the leakage of key server accounts and their passwords).3. Unauthorized access to sensitive information, including but not limited to direct access to the backend by bypassing authentication, weak backend passwords, and Server-side Request Forgery (SSRF) enabling individuals to obtain large amounts of sensitive Intranet data.4. Unauthorized manipulation of sensitive data, including but not limited to modification of important information, manipulation of orders, and modification of important configurations through an unauthorized account.5. Other vulnerabilities that affect users on a large scale, including but not limited to Stored XSS on important pages that can cause automatic spread of and allow acquisition of authentication credentials (cookies). | Extremely High: 2900-3500High: 2900-4300 | Moderate | Including but not limited to:1. Vulnerabilities that can affect users only through interaction, including but not limited to Stored XSS to general web pages and major Cross-site Request Forgery (CSRF) vulnerabilities. All vulnerability descriptions must provide the proof of the harm to other users.2. Ordinary unauthorized operations, including but not limited to bypassing restrictions to modify user information and perform user operations.3. Leakages of ordinary information, including but not limited to web path traversal, system path traversal, and plain-text password transmission over the HTTP when a HeyTap account is used for sign-in.4. Ordinary logic design flaws and process flaws, including but not limited to flaws in the verification code logic for important systems that cause the verification and relevant restrictions to be bypassed, leading to credential stuffing attacks.5. Unrestricted brute-force attacks on important account systems. | Extremely High: 230-430High: 150-300 | Low | Including but not limited to:1. Vulnerabilities allowing individuals to access user identity information only in specific unpopular browser environments (for example, IE6). Such vulnerabilities include but are not limited to Reflected XSS (including Reflected DOM-based XSS) and Stored XSS in ordinary properties.2. Minor information leakages, including but not limited to leakage of path information, SVN information, PHP information, exceptions information and configuration settings, log printing and plain-text password transmission over HTTP when a non-HeyTap account is used for sign-in.3. Unauthorized access, including but not limited to client-side active defense bypass and OPPO URL redirection vulnerabilities. (Note that redirecting an OPPO URL to a normal website is not considered a vulnerability. If PoC for URL redirection shows that an OPPO URL can be redirected to any domain doesn't belong to OPPO without any prompts displayed, then there is a vulnerability. Otherwise no vulnerability exists.4. Vulnerabilities that are difficult to exploit but may cause security risks. Such vulnerabilities include but are not limited to Self-XSS that may cause the spread and exploitation of XSS, JSON Hijacking that has obtained sensitive information, clickjacking on input web pages containing sensitive information (a valid exploit must be provided in the vulnerability details), CSRF attacks involving unimportant sensitive information, and remote code execution through man-in-the-middle (MITM) attacks (valid PoC must be provided in the vulnerability details).5. Other vulnerabilities that can only cause slight impact. Such vulnerabilities include but are not limited to inappropriate configuration settings for system/service maintenance and operations and vulnerabilities in component-level permissions.6. Verification code message/email bombing, which means that a single IP or user keeps sending more than 50 verification code messages/emails to the same mobile number/email box within 30 minutes. (Note: Reported problems wherein the same interface is used to send one verification code message/email to an unlimited number of mobile numbers or email boxes will be ignored.) | Extremely High: 20-45High: 15-40 | NSI | Including but not limited to:1. Bugs involving no security risks, including but not limited to product function defects, garbled pages, mixed content, directory traversal that has caused the leakage of meaningless or non-sensitive information, and application compatibility issues.2. Vulnerabilities that cannot be exploited, including but not limited to a scanner's meaningless vulnerability reports (such as a report on a low web server version), meaningless XSS (such as Self-XSS attacks), XSS that uses social engineering or phishing, POST based XSS, JSON hijacking involving no sensitive information, leaking of meaningless exception information, leaking of IP addresses or domain names in the intranet, meaningless clickjacking, HTTP request smuggling, obtaining the user's cookies by exploiting unconfigured CORS during user interaction, and brute-force attacks that cannot be further exploited.3. CSRF attacks involving no sensitive information, including but not limited to adding items to or deleting items from an online shopping cart, as well as executing actions on an online forum such as logging out of an account, giving likes, following others, publishing posts, making comments, and sending flowers.4. Traversals and leakages of non-sensitive information. Such information includes but is not limited to middleware version and non-sensitive information.5. Vulnerabilities that cannot be reproduced or other issues that cannot directly reflect any vulnerability, including but not limited to vulnerabilities that are purely a user's guesses.6. Cracking of 6-digit verification codes by distributed equipment.7. Other vulnerabilities with extremely low risks. | No bounty |
Note: NSI = Not Security Issue (vulnerabilities that do not qualify for bounty rewards)
** Mobile App Security Vulnerabilities ** This type of security vulnerability mainly refers to those in mobile devices powered by ColorOS or realme UI. It includes security vulnerabilities in ColorOS or realme UIbuilt-ins and security vulnerabilities in OPPO's and realme's proprietary apps available in the App Market.
Level | Example of Vulnerability and Impact | Reward (USD) | Critical | 1. Arbitrary code execution in the TEE;2. Unauthorized access to TEE-protected data (only limited to fingerprints, face data, payment information, and other data that can cause property loss to the victim);3. Remote code execution in a privileged process or the TCB or ICE;4. Remote permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS);5. Remote bypass of interaction requirements for installing an app package or an equivalent action;6. Bypass of secure boot mechanism;7. Upgrading to firmware or image not signed by OPPO;8. Vulnerabilities allowing individuals to extract or infer private user information from the AI model file, such as images and sounds. | $5,000-$11,500 | High | 1. Remote code execution in an unprivileged process;2. Local arbitrary code execution in a privileged process, the TCB or ICE;3. Unauthorized access to TEE-protected data;4. Remote access to protected data (usually limited to the data that can be accessed only after a local app requests and is granted access, or that can be accessed only by a privileged process);5. Local permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS);6. Remote temporary DoS attacks (remote hang or reboot);7. Remote bypass of user interaction requirements (access to functions that usually require either user initiation or user permission);8. Local bypass of user interaction requirements for modifying security settings (such as Developer Options);9. Bypass of the security protection mechanism that separates the app data from other apps;10. Bypass of the security protection mechanism that separates users or user profiles from one another;11. Local bypass of user interaction requirements for installing an app package or an equivalent action;12. Lock screen bypass;13. Bypass of the device protection functions (such as the "Find My Phone" function);14. Bypass of the carrier's restrictions (such as SIM card lock);15. Bypass of the authentication mechanism to control OPPO smart devices;16. Local acquisition of private user data through the AI model. | $2,900-$3,500 | Moderate | 1. Remote code execution in a constrained process;2. Local code execution in an unprivileged process;3. Bypass of the mitigation technology in a privileged process or in the TCB, ICE, or TEE;4. Bypass of restrictions on a constrained process;5. Bypass of restrictions on privacy password;6. Remote access to unprotected data (usually referring to all the data that can be accessed by locally installed apps);7. Local access to protected data (usually limited to the data that can be accessed only after a locally installed app requests and is granted access, or that can be accessed only by a privileged process);8. Local bypass of user interaction requirements without authentication (access to functions that usually require either user initiation or user permission);9. Plain text leakage vulnerability caused by the incorrect encryption algorithm model or incorrect implementation of the encryption algorithm;10. Bypass of the protection function for restoring factory settings;11. Targeted blocking of access to emergency services. | $230-$430 | Low | 1. Local arbitrary code execution in a constrained process;2. Bypass of the mitigation technology in an unprivileged process. | $20-$45 |
Technical Abbreviations:
TEE: Trusted Execution Environment
TCB: Trusted Computing Base
ICE: In-Circuit Emulator
DoS: Denial of Service
** Concepts Involved in Mobile Phone Security Vulnerabilities **
Remote: The attacker exploits vulnerabilities to launch an attack without installing the app concerned or without physical contact with the victim's device, such as by browsing web pages, reading SMS or MMS messages, receiving or sending emails, downloading files, or having wireless network communications (excluding communication with a distance of less than 10 cm).
Local: The attacker exploits vulnerabilities to launch an attack. This kind of attack needs relevant apps to be installed in the victim's system or the attacker needs physical contact with the victim's system and the communication distance must be less than 10 cm.
Constrained process: Such a process is subject to stricter permission restrictions than a normal app process, and runs in a strictly restricted domain such as SELinux or SEAndroid.
Normal app process: refers to an application or process running in the untrustedapp or platformapp domain of SELinux (or SEAndroid), such as a third-party application/process or built-in application/process without system-level permissions.
Privileged process: refers to an application or process running in the system_app of SELinux (or SEAndroid), such as a process running with system-level permissions or root permissions.
TCB: stands for Trusted Computing Base. It refers to all of a computer's protective devices, including hardware, firmware, software, and components that implement security policies. It ensures a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to parts of the kernel and drivers, or user services equivalent to the kernel, such as init and vold.
TEE: stands for Trusted Execution Environment. It co-exists with the Android system on a device. It is mainly used to provide the Android system with a running environment for security services such as trusted computing and storage.
ICE: stands for Independent Computing Environment. It refers to a function- and service-focused set of independent computing units, firmware and simple OS, such as a baseband modem.
** Application for CVE IDs ** l OPPO is the world's 100th CVE Numbering Authority (CNA). We can help security researchers who report vulnerabilities in OPPO products apply for CVE IDs. For CVE application, you could send an application email to mailto:[email protected]. You need to list the following points in the email:
The name and Report ID of the vulnerability
The influence of the vulnerability
The type and the severity of the vulnerability
POC
The nickname and the email of the applicant OSRC Team will review their vulnerability reports in line with CVE requirements. If the review finds no problem, the OSRC will help the researchers apply for CVE IDs.
** Repeated Vulnerability Reports **
Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.
For similar vulnerabilities affecting multiple systems, if internal troubleshooting has already started, a protection period of 1–3 months can be defined based on the proof of relevant internal communication. Vulnerabilities reported during this protection period will be ignored.
If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.
For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.
** Zero-Day Vulnerabilities **
** General Vulnerability Review Principles for Third-Party Products **
Server-side vulnerabilities: including but not limited to vulnerabilities in the components of Tomcat and Apache being used by OPPO or realme , OpenSSL, and third-party SDKs. For a reported vulnerability which becomes publicly known within one month following report submission, if OPPO or realme has already received the vulnerability from another channel, OPPO or realme will give a FAIL result to the vulnerability report. If OPPO or realme remains unaware of the vulnerability one month after it is made public and the vulnerability remains in OPPO's third-party products, OPPO will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.
Client-side vulnerabilities: including but not limited to Android-native vulnerabilities and common app vulnerabilities. For a reported vulnerability which becomes publicly known within three months following report submission, if OPPO or realme has already received the vulnerability from another channel, OPPO or realme will give a FAIL result to the vulnerability report. If OPPO remains unaware of the vulnerability three months after it is made public and the vulnerability remains in OPPO's and realme's third-party products, OPPO or realme will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.
For vulnerabilities resulting from the same source, in general only the first reporter will be rewarded and the vulnerabilities will be counted as one.
If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For different types of vulnerabilities in the same URL, only the reporter of the vulnerability that has the greatest impact will be rewarded.
Vulnerability reports should be as detailed and compliant as possible. The details of a reported vulnerability, its working principle and exploits, and fix recommendations affect the scoring of the vulnerability to some extent. For a reported vulnerability, the lack of PoC, exploit information, or analysis details will directly affect the scoring.
Reporting threats or intelligence already published online will be given no score.
The review results for a vulnerability are determined based on the level of difficulty in exploitation as well as the degree and scope of its impact.
Scanner results without proof of harm will be considered invalid.
If you use security testing as an excuse to exploit security intelligence to harm the interests of users, affect the normal operation of our services, publish information about vulnerabilities before they are fixed, or steal user data, you will receive no score. In addition, OPPO will reserve the right to take legal action.
Users can sign up for a free account through our website
Please use your hacker email alias when testing (mailto:[email protected])
OPPO generally do not provide sample devices for testing; researchers need to purchase the devices themselves.
We currently only accept files smaller than 20MB in the following formats: doc, docx, 7z, zip, gz, bz2, excel.
OPPO and realme employees (including both regular and outsourced employees) and their immediate family members cannot participate in this reward scheme.
Clause Interpretation The OSRC reserves the right to interpret all the above clauses.
Researchers should add headers to requests such as:
OPPO is committed to product security and user privacy protection. Our OSRC (OPPO Security Response Center) Vulnerability Disclosure Program provides a secure channel for researchers to report security issues.
When reporting vulnerabilities:
Allow reasonable time for investigation before public disclosure
Do not exploit discovered vulnerabilities or access sensitive data
Follow applicable laws and privacy regulations
Agree to OPPO's Privacy Policy and these Terms & Conditions
Any inadvertent access to proprietary data must be declared in your report and not used, stored, or disclosed
Submissions grant OPPO a worldwide, permanent, royalty-free license to address vulnerabilities
Do not disclose vulnerabilities to third parties without prior written consent
OPPO will respond within 15 working days and provide progress updates
To protect users, OPPO will not discuss security issues before completing full investigations.
Report vulnerabilities at: https://security.oppo.com/en/responsibleDisclosure
By participating, you acknowledge understanding and acceptance of these policies.
You can check more details of devices standard on : https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1554748210814394368
Thank you for helping keep OPPO and our users safe!
[/oppo_bbp/thanks](See all hackers
)
1
/sabr0x?type=userReputation: 453
2
/shiyier?type=userReputation: 400
3
/amsda?type=userReputation: 262
4
/arthuraires?type=userReputation: 218
5
/lauritz?type=userReputation: 133
6
/omkumar13?type=userReputation: 123
7
/tomisec?type=userReputation: 115
8
/m1k0er?type=userReputation: 108
9
/malcolmx?type=userReputation: 79
10
/tushar6378?type=userReputation: 76
11
/prakash142?type=userReputation: 66
12
/yash_005?type=userReputation: 66
OPPO
https://security.oppo.com/en/https://x.com/osrc_official We would like to promote consumer understanding of OPPO product and business-related security privacy features.Bug Bounty Program launched in Feb 2025
Response efficiency: 100%
[/oppo_bbp/reports/new?type=team&report_type=vulnerability](
Submit without Report Assistant
)
Severity
Rewards
Severity
Rewards
LowAvg. bounty $2248.80% submissions
$1–$45
MediumAvg. bounty $16141.60% submissions
$10–$430
HighAvg. bounty $2,6638% submissions
$30–$3,500
CriticalAvg. bounty n/a1.60% submissions
$70–$11,500
Total bounties paid | $30,571 | Average bounty range | $30 - $45 | Top bounty range | $450 - $3,100 | Bounties paid | 90 days | $12,050 | Reports received | 90 days | 677 | Last report resolved | 2 days ago | Reports resolved | 125 | Hackers thanked | 108 | Assets In Scope | 124 |
© HackerOne