In context: OnePlus has had two data breaches in its six-year history, the most recent of which was followed by a commitment from the company to strengthen the security of its ecosystem with the launch of a bug bounty program.
The OnePlus Security Response Center is the company's new bug bounty program in the wake of data breaches, one which happened last year affecting credit card customers and a second, more recent occurrence in November that exposed personal details of some users.
"We welcome independent security researchers of all backgrounds and levels to join us in our efforts to secure the OnePlus ecosystem." notes the program's announcement page. Researchers who've found a security vulnerability or a bug in OnePlus' systems need to sign up for an account and can submit their findings here.
Based on a vulnerability's "severity and actual business impact," OnePlus has created the following five reward tiers:
- Special cases: up to $7,000
- Critical: $750–$1,500
- High: $250–$750
- Medium: $100–$250
- Low: $50–$100
Researchers can look for security issues and loopholes in OnePlus-owned components such as the company's official website, OnePlus Store, Oxygen OS, OnePlus App Store, OnePlus Cloud, OnePlus Communities and Accounts.
The program also mentions certain practices that researchers should refrain from, like attempting DDoS attacks, spamming, social engineering OnePlus' staff and physically damaging the company's property. There are also several techniques and exploits on the announcement page that count as 'Ineligible Issues' in case anyone looks to go that route.
Even for special cases, a $7,000 reward seems a bit closefisted on OnePlus' part, especially when discovering (and fixing) a critical vulnerability can often save a company millions of dollars, not to mention other important factors like customer trust or the increasing difficulty and sophistication of finding loopholes in modern software and hardware systems.