OnePlus, the fast-growing smartphone brand has witnessed two security breaches in two years and it now wants to leave no room for error. The Chinese tech company has started a bug bounty program, which lures security researchers with handsome cash rewards for finding bugs in its systems.
OnePlus had already announced that it would start a bug bounty program by the end of this year to address security woes and it has lived up to its promise. The OnePlus bug bounty program can fetch as high as $7,000 (around Rs 4.9 lakh) or at least $50 (around Rs 3,500) for finding and reporting bugs in its products and systems.
The reward system
OnePlus has five categories to classify different kinds of bugs and rewards that can be earned:
- Special cases: up to $7,000
- Critical: $750 to $1,500
- High: $250 to $750
- Medium: $100 to $250
- Low: $50 to $100
OnePlus simply says the reward will be determined "depending on the potential impact of the threat. "The global OnePlus Security Response Center will engage academics and security professionals to responsibly discover, disclose and remediate issues that could affect the security of OnePlus' systems, and will help us proactively counter potential external threats to user security," OnePlus said in a forum post on Thursday.
How to report bugs?
Security researchers can participate in the OnePlus bug bounty program from anywhere in the world. The reports of potential threats can be submitted through the OneSRC website, which has a "Monthly Hall of Fame" to recognize top contributors of the month.
Security researchers must give a summary of the issue, type of vulnerability, select the severity of the issue, and submit proof of concept for OnePlus technical experts to review.
In addition to OnePlus bug bounty program, the company also partnered with HackerOne to get insights from "top security researchers, academic scholars and independent experts to better uncover potential threats to our systems."
OnePlus and HackerOne have collaborated for a pilot program, where only select researchers would be invited to test OnePlus' security. The public version of the program will go live next year.
OnePlus isn't taking this step without cause. There have been two instances of a security breach within OnePlus, which involved its consumers' data. The first breach took place in January last year, which affected up to 40,000 customers, whose credit card information was stolen. This triggered a wave of criticism, but another breach in November put a lot of heat on OnePlus. In the last month's breach, details such as customer names, contact numbers, emails, and shipping addresses were exposed.