Skip to main content

OnePlus is launching a bug bounty program after disclosing the second breach in two years

OnePlus is launching a bug bounty program after disclosing the second breach in two years


You can earn up to $7,000 for submitting a bug

Share this story

Photo by Jon Porter / The Verge

OnePlus announced its second data breach in two years back in November, and the phone maker promised to launch a bug bounty program by the end of the year to beef up its security. A bug bounty program could, in theory, prevent future breaches. Today, OnePlus announced that its bug bounty program is now live.

If you find a bug or vulnerability, you can submit it here (although you’ll need to make an account first), and it seems the company will be updating a leaderboard of top contributors and featuring the top three contributors on the bug bounty program’s main page.

On a page about the program, OnePlus says it will offer rewards according to the following tiers:

  • Special cases: up to $7,000 
  • Critical: $750–$1,500 
  • High: $250–$750 
  • Medium: $100–$250 
  • Low: $50–$100 

However, it’s unclear what the criteria are for each tier, and OnePlus only says that the reward you might receive is “determined based on vulnerability severity and actual business impact.”

OnePlus is also partnering with HackerOne

In November, OnePlus also said it would be partnering with a “world-renowned security platform next month.” Today, OnePlus announced that platform is bug bounty startup HackerOne. The collaboration with HackerOne is starting as a pilot program where select security researchers will be invited to test against OnePlus’ systems, and OnePlus says a public version of the program will launch in 2020.

In November’s breach, OnePlus said that some customer names, contact numbers, emails, and shipping addresses were possibly exposed, but payment and account information was apparently safe. The company didn’t disclose how many customers were affected. In January 2018, OnePlus said that a security breach affecting up to 40,000 customers caused customers’ credit card information to be stolen.