Vulnerability Policy

Table of contents

Opera is committed to your security, and we have a long and proven track record of fulfilling that commitment. Below, we take you through the process of how we handle security vulnerabilities when they are discovered and what steps we take to keep you, and others who are using our product, safe while online.

How we handle security reports

Security reports are always dealt with as a matter of the highest priority. When security reports are received, the potential threat is assessed as soon as possible. When a reported issue is identified as a security issue, the reporter is contacted. As is the industry convention, a disclosure date is agreed with the reporter.

A disclosure date is agreed upon on a case-by-case basis. The delay between report and disclosure allows a fix to be prepared and tested and checked for any other related problems. At the same time, it ensures that users are not left with a publicized vulnerability, without any means to upgrade. As is the industry convention, a disclosure date is communicated to the reporter (up to 90 days).

When and where necessary, the reporter may also be asked for more information about how to reproduce the issue. Occasionally, reports of possible security issues are found not to be about exploitable security issues. Where appropriate, the reporter will be contacted with an explanation of why we believe this is not a security issue.

Please note: reports without a clear description of steps to reproduce the issue and proofs-of-concept will likely be closed as invalid on our side.

How vulnerabilities are disclosed

In order to protect our users, we encourage responsible disclosure, which involves not disclosing vulnerability details to any third party until we have had a chance to fix the issue. Our fix will be mentioned in changelogs, and we will typically link to a security advisory. In some cases, we may choose to wait before publishing the advisory, for instance, when other vendors are still vulnerable. An advisory contains details of the issue, our solution to the issue, and in most cases, a recommendation to upgrade to the latest, official release. It will not usually explain how an issue may be exploited, but it will contain enough information to identify a specific issue. If the reporter has practiced responsible disclosure, we will credit them in the advisory.

How Opera’s security group works

In addition to dealing with incoming reports, Opera’s security group proactively looks for potential security issues. When new technologies are considered or implemented, our security group assesses those technologies for possible security implications, and specifications and implementations may be changed accordingly.

After implementation and release, this effort continues. If issues are discovered, they are fixed, and the fix is released in a new Opera version. Where appropriate, the release changelog will mention the security fix, and an advisory may be issued.

How security issues are rated

When security agencies report an issue, they will typically include a severity rating, based on how easy it is to exploit the issue and the potential effects of a successful exploit. Examples include the following:

  • Crashers that prevent the application from restarting.
  • Possibility to make one website appear to be another website.
  • Ability to execute arbitrary code.
  • Ability to read files on the user’s system or login information for other sites.

As the issue is investigated, more details may be discovered about the severity or ease of exploitation. In some cases, we may find that the reporter has given the issue too high or too low a rating. This may mean that we give an updated rating, based on our own knowledge of the issue. This rating may also be revised following further investigation.

Opera and 0-day threats

When it comes to cybersecurity, 0-day, or zero-day, is probably the most serious level of threat a software provider has to deal with. The name comes from the fact that the software provider has zero days at their disposal to mitigate or address the threat – it is active, here and now, and can put users at risk.

At the same time, 0-day has become one of the most overused terms in the industry. Even cybersecurity experts disagree with each other on how exactly to define a 0-day. But everyone can agree they should be dealt with as soon as possible – or risk leaving users unprotected from a potentially major threat.

As such, we believe it is vital to assign the proper weight to the term. Opera considers a 0-day threat to be a serious security vulnerability, which:

  • the software provider doesn’t know about
  • has been discovered by bad actors and has been made public, and
  • at the time it becomes public, continues to be unpatched

This is why responsible disclosure is an important part of cybersecurity. If a vulnerability is discovered by a security expert and responsibly disclosed to the software vendor, and a fix is developed and released before it is publicly disclosed, it is not considered a 0-day.

The cybersecurity community has come up with more detailed breakdowns of the term, including 0-day vulnerability – where a vulnerability is discovered but not actively exploited; 0-day attack – where bad actors discover the vulnerability and actively attack it; and 0-day exploit – which is the method that bad actors have come up with to perform a 0-day attack by exploiting that vulnerability. However, many respected experts believe that this risks watering down the magnitude and seriousness of a 0-day threat. This is why at Opera, we prefer adhering to the more traditional definition.

What if Opera is not the only application affected?

Occasionally, we find that an issue affects applications released by other vendors. In these cases, if the original reporter has not contacted the other vendors, we may contact the affected vendors.

In these cases, the disclosure date may be delayed to give the other vendors time to issue their own patches. Web security depends on vendors cooperating to improve protection for all users. Publicly disclosing details of the vulnerability before the other vendors have had an opportunity to fix their applications would leave their users vulnerable. Security advisories will usually be released by vendors and the reporter on the new agreed date. If a patched release is issued earlier than this date, its changelog may not contain details of the vulnerability but should contain a note saying that it is a security upgrade and that more details will be added later.

More information

For more information on how Opera handles security issues, please see our Opera Security blog. Security issues can be reported securely through the Opera bug tracking system.

References