Bug Bounty

Welcome to the Opera Bug Bounty information page. We are passionate about the security and privacy of our users. Therefore, we work hard to improve and uphold the security of our products and services. In particular, we are happy to work and collaborate with you on security issues. Essentially, we know that knowledge comes from many different sources, and your help is invaluable to our security approach.

Section overview

If you already know what you are looking for, you can go directly there by following the links. Otherwise, feel free to read our introduction for an overview.

Introduction

We invite you to participate in our Bug Bounty Program on BugCrowd, where you can contribute to our security process ethically and to the mutual benefit of all parties. We currently run only a public program.

If you want to report a bug without participating in our Bug Bounty Programs, or if your bug is out of scope, read the next section on submitting other security reports.

CVE Numbering Authorities (CNA) membership

Since December 2019, we have been a part of the MITRE CVE program as a member of the CNA. As such, we are able to evaluate submitted vulnerabilities against a range of criteria and assign CVEs where appropriate.

Read our blog post on becoming a part of the CNA program to learn more about our CNA membership.

Other security reports (Out-of-Scope reports)

If you find a bug or vulnerability that is out of scope for our bug bounty program, you can still submit your report directly to us.

To submit an Out-of-Scope report, fill in this form with the appropriate details. Please note that we don’t pay bounties for such submissions.

Keep in mind that bugs inherited from Chromium should be reported to the Chromium Project.

We also do not accept bugs in versions of Opera that are no longer supported.

Our Android apps

Our Android applications are listed in the Google Play Security Rewards Program (GPSRP), and are eligible for bounty by Google. As such, submissions related to one or more of our Android applications may also meet GPSRP criteria.

Please report any vulnerabilities to us first through the public bug bounty program if the respective app is in scope, or using this form if it’s not.

If you think the vulnerability is eligible for Google’s reward program, you can submit a report to Google once the vulnerability has been confirmed and fixed. Please see the rules listed on the GPSRP website for more information about Google’s reward program.

Please note that bounties from the GPSRP are at Google’s discretion, and are not handled by us.

Contact us!

If you have any questions about our Bug Bounty program, submitting Out-of-Scope issues or any other security related inquiry, please contact us through our designated inquiry portal. We look forward to hearing from you!