Following the announcement of a severe data breach in late November of this year, OnePlus has now announced the launch of its own bug bounty program. The program will start out, for now, as a collaborative private effort according to recent reports. Namely, OnePlus has partnered with HackerOne and it will currently work as a pilot and only select security researchers will be participating. Those will be by invite only.
Once the program has fully taken off, it will go public in 2020. That will pave the way for many more security researchers to take part and potentially earn cash finding weaknesses in OnePlus's security.
The most recent security breach in question is actually the second security breach OnePlus has suffered in two years. The November breach arguably being the lighter of the two. In November, only shipping addresses, names, contact numbers, and emails are likely to have been stolen. One Plus hasn't quite been clear about how exactly that happened.
Not every user was impacted this time either. In the 2018 breach, as many as 40,000 customers had their credit card information stolen. That also seems to have included payment details, passwords, and accounts of at least some of those customers. Breaches including the details that were stolen in November can still lead to phishing attacks and identity theft. So it was still a very serious ordeal.
What exactly does this do?
While OnePlus was able to stop the November breach from growing and fix the underlying issue, the bug bounty program is great news for consumers. Such programs are relatively common in the tech world, inviting researchers to probe at and for potential bugs. Google runs a similar program for its apps, services, and hardware.
In effect, that means many can be found before malicious entities find them and they become a problem. The researchers' results can also offer clues about how to harden other areas of the underlying system where similar bugs might be found. All of that gives OnePlus an advantage over would-be bad actors.
What are the bounties bug discoverers can earn?
To spur rapid growth of its bug bounty program, OnePlus is offering both awards and rewards at launch. On the one hand, the company will be parceling out rewards based on the severity of a bug and other related factors. It's classifying those as Special cases, Critical, High, Medium, and Low — in line with industry standards.
Of course, Special case bugs can net a researcher or researchers up to $7,000 and rewards go down from there. At the other end of the spectrum, Low severity bugs earn from $50 to $100. In between, Medium and High severity bugs net researchers $100 to $250 or $250 to $750 respectively. Critical bugs and vulnerabilities will be worth $750 to $1,500 for researchers.
That's not quite as high as Google's reward offerings. But OnePlus is following Google's lead in one other area. Namely, the company is gamifying its bug bounty program. Those who find a bug or vulnerability will be eligible for addition to a leaderboard of contributors. The top three will be featured on the main page for the program.