Opera is committed to your security, and we have a long and proven track record of fulfilling that commitment. Below, we take you through the process of how we handle security vulnerabilities when they are discovered and what steps we take to keep you, and others who are using our product, safe while online.
How we handle security reports
Security reports are always dealt with as a matter of the highest priority. When security reports are received, the potential threat is assessed as soon as possible. When a reported issue is identified as a security issue, the reporter is contacted. As is the industry convention, a disclosure date is agreed with the reporter.
A disclosure date is agreed upon on a case-by-case basis. The delay between report and disclosure allows a fix to be prepared and tested and checked for any other related problems. At the same time, it ensures that users are not left with a publicized vulnerability, without any means to upgrade. As is the industry convention, a disclosure date is communicated to the reporter (up to 90 days).
When and where necessary, the reporter may also be asked for more information about how to reproduce the issue. Occasionally, reports of possible security issues are found not to be about exploitable security issues. Where appropriate, the reporter will be contacted with an explanation of why we believe this is not a security issue.
Please note: reports without a clear description of steps to reproduce the issue and proofs-of-concept will likely be closed as invalid on our side.
How vulnerabilities are disclosed
In order to protect our users, we encourage responsible disclosure, which involves not disclosing vulnerability details to any third party until we have had a chance to fix the issue. Our fix will be mentioned in changelogs, and we will typically link to a security advisory. In some cases, we may choose to wait before publishing the advisory, for instance, when other vendors are still vulnerable. An advisory contains details of the issue, our solution to the issue, and in most cases, a recommendation to upgrade to the latest, official release. It will not usually explain how an issue may be exploited, but it will contain enough information to identify a specific issue. If the reporter has practiced responsible disclosure, we will credit them in the advisory.
How Opera’s security group works
In addition to dealing with incoming reports, Opera’s security group proactively looks for potential security issues. When new technologies are considered or implemented, our security group assesses those technologies for possible security implications, and specifications and implementations may be changed accordingly.
After implementation and release, this effort continues. If issues are discovered, they are fixed, and the fix is released in a new Opera version. Where appropriate, the release changelog will mention the security fix, and an advisory may be issued.
How security issues are rated
When security agencies report an issue, they will typically include a severity rating, based on how easy it is to exploit the issue and the potential effects of a successful exploit. Examples include the following:
- Crashers that prevent the application from restarting.
- Possibility to make one website appear to be another website.
- Ability to execute arbitrary code.
- Ability to read files on the user’s system or login information for other sites.
As the issue is investigated, more details may be discovered about the severity or ease of exploitation. In some cases, we may find that the reporter has given the issue too high or too low a rating. This may mean that we give an updated rating, based on our own knowledge of the issue. This rating may also be revised following further investigation.
What if Opera is not the only application affected?
Occasionally, we find that an issue affects applications released by other vendors. In these cases, if the original reporter has not contacted the other vendors, we may contact the affected vendors.
In these cases, the disclosure date may be delayed to give the other vendors time to issue their own patches. Web security depends on vendors cooperating to improve protection for all users. Publicly disclosing details of the vulnerability before the other vendors have had an opportunity to fix their applications would leave their users vulnerable. Security advisories will usually be released by vendors and the reporter on the new agreed date. If a patched release is issued earlier than this date, its changelog may not contain details of the vulnerability but should contain a note saying that it is a security upgrade and that more details will be added later.