Bug Bounty

Welcome to the Opera Bug Bounty information page. We are passionate about the security and privacy of our users. Therefore, we work hard to improve and uphold the security of our products and services. In particular, we are happy to work and collaborate with you on security issues. Essentially, we know that knowledge comes from many different sources, and your help is invaluable to our security approach.

Section overview

If you already know what you are looking for, you can go directly there by following the links. Otherwise, feel free to read our introduction for an overview.

Introduction

We invite you to participate in our Bug Bounty Programs on BugCrowd, where you can contribute to our security process ethically and to the mutual benefit of all parties. We currently run two programs – one public and one private, each with different scopes.

By joining our programs, you get the opportunity to work with one of the world’s top browsers. You also get to contribute to the security community as a whole, and earn rewards in the process.

We value the submission of any valid reports, as well as any new and innovative reports. Together, we can mitigate not only the most obvious attacks, but also the most obscure.

If you want to contribute to the security of Opera products and be eligible for bounties, please see the instructions below on How to join our Bug Bounty Programs.

If you want to report a bug without participating in our Bug Bounty Programs, or if your bug is out of scope, read the next section on submitting other security reports.

CVE Numbering Authorities (CNA) membership

Since December 2019, we have been a part of the MITRE CVE program as a member of the CNA. As such, we are able to evaluate submitted vulnerabilities against a range of criteria and assign CVEs where appropriate.

Read our blog post on becoming a part of the CNA program to learn more about our CNA membership.

How to join the Opera Bug Bounty Programs

Opera has Bug Bounty Programs hosted in BugCrowd. We invite researchers and ethical hackers from around the world to contribute to the improvement of Opera products.

To report vulnerabilities to the public Bug Bounty Program, or to join our private Bug Bounty Program, you need to have an account on BugCrowd. Visit BugCrowd to create an account.

To join the private Bug Bounty Program, submit this form with your BugCrowd username and e-mail. This allows us to verify that you meet the program criteria.

Please note that, to be eligible for a bounty, assets must be explicitly listed as being in scope and the bugs have to be reported through BugCrowd.

Other security reports (Out-of-Scope reports)

If you find a bug or vulnerability that is out of scope for our private and public bug bounty programs, or if you are not eligible to participate in either program, you can still submit your report directly to us.

To submit an Out-of-Scope report, fill in this form with the appropriate details. Please note that we don’t pay bounties for such submissions.

Keep in mind that bugs inherited from Chromium should be reported to the Chromium Project.

We also do not accept bugs in versions of Opera that are no longer supported.

Our Android apps

Our Android applications are listed in the Google Play Security Rewards Program (GPSRP), and are eligible for bounty by Google. As such, submissions related to one or more of our Android applications may also meet GPSRP criteria.

Please report any vulnerabilities to us first through the public bug bounty program if the respective app is in scope, or using this form if it’s not.

If you think the vulnerability is eligible for Google’s reward program, you can submit a report to Google once the vulnerability has been confirmed and fixed. Please see the rules listed on the GPSRP website for more information about Google’s reward program.

Please note that bounties from the GPSRP are at Google’s discretion, and are not handled by us.

Contact us!

If you have any questions about our Bug Bounty program, submitting Out-of-Scope issues or any other security related inquiry, please contact us through our designated inquiry portal. We look forward to hearing from you!