What does OnePlus's Bounty Program Bring?

Sunday, 22 Dec, 2019

The new bounty program, called "OnePlus Security Response Center" will reward academics and security professionals who can discover and disclose potential threats to the company's systems.

Specifically, Apple says, a researcher would have to report fresh "zero-click kernel code execution with persistence" to bag the $1 million reward.

Interestingly, Apple increased the maximum amount of the bounty from $200,000 for every exploit to a staggering $1 million relative to the nature of the security flaw discovered.

Enough information for Apple to reasonably reproduce the problem.

Until today, Apple was running an error rewards program based on invitations only for selected security researchers and only accepted iOS security errors.

On Thursday, the company announced that it is offering a reward for the qualifying bug reports that range from $50 to $7,000. Both decisions were criticized by the security community, as discouraging the responsible disclosure of serious vulnerabilities could prompt researchers to profit off their discoveries in far less benevolent ways.

Below is the video of Ivan Krstić, Apple's head of security, announcing Apple's public bug bounty program at Black Hat over the summer (at 38:05).

Also, the bonus will be awarded for revealing "regressive bugs" or those bugs that were patched once, but have resurfaced in the latest version of the software.

In context: OnePlus has had two data breaches in its six-year history, the most recent of which was followed by a commitment from the company to strengthen the security of its ecosystem with the launch of a bug bounty program.

Be the first to report the issue.

OnePlus's bug bounties don't just cover its smartphones as some might presume but all of OnePlus' systems, including its website and forums. All security issues with significant impact to users will be considered for Apple Security Bounty payment, even if they do not fit the published bounty categories.