Security Vulnerability Scoring Standards for Devices (Mobile Phones)

2022-07-13

Security Vulnerability Scoring Standards for Devices (Mobile Phones)

 

  1. 1.General Principles

OnePlus attaches great importance to the security of its products and services, and is committed to ensuring user data security. We hope to work closer with individuals and organizations, including companies, in the industry through the OnePlus Security Response Center (OneSRC) to improve our overall security level.

OnePlus supports responsible vulnerability disclosure and handling. We promise to set up a dedicated team to follow up, analyze, and handle any vulnerability reports and give a timely reply.


  1. 2.Scope of Application

The device reward range includes the following models. The model requires upgrading to the latest software and patch version.

  1. Device Series

    Phone Models

    Nord Series

    OnePlus Nord N30 5G

    OnePlus Nord 3 5G

    OnePlus Nord CE 3 Lite 5G 

    OnePlus Nord CE 2 Lite 5G 

    OnePlus Nord CE 2 5G 

    OnePlus Nord CE 5G 

    OnePlus Nord 2T 5G 

    OnePlus Nord 2 5G 

    OnePlus Nord N20 5G 

    OnePlus Nord N200 5G 

    OnePlus Nord N300 5G

    Flagship Series

    OnePlus Open

    OnePlus 12

    OnePlus 12R

    OnePlus 11 5G 

    OnePlus 10 Pro 5G 

    OnePlus 10T 5G 

    OnePlus 9 Pro 5G 

    OnePlus 9 5G

    OtherOnePlus 10R 5G
    OnePlus Ace
    OnePlus 11R 5G
    OnePlus 10R 5G
    OnePlus 9R 5G
    OnePlus Pad

    3.Scoring Rules

We have defined four levels for mobile phone security vulnerabilities based on the degree of their impact: Critical, High, Moderate, and Low.

Level

Example of Vulnerability and Impact

Reward (USD)

Critical

  1. Arbitrary code execution in the TEE;
  2. Unauthorized access to TEE-protected data (only limited to fingerprints, face data, payment information, and other data that can cause property loss to the victim);
  3. Remote code execution in a privileged process or the TCB or ICE;
  4. Remote permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS);
  5. Remote bypass of interaction requirements for installing an app package or an equivalent action;
  6. Bypass of secure boot mechanism;
  7. Upgrading to firmware or image not signed by OnePlus;
  8. Vulnerabilities allowing individuals to extract or infer private user information from the AI model file, such as images and sounds.

1440-7170

High

  1. Remote code execution in an unprivileged process;
  2. Local arbitrary code execution in a privileged process, the TCB or ICE;
  3. Unauthorized access to TEE-protected data;
  4. Remote access to protected data (usually limited to the data that can be accessed only after a local app requests and is granted access, or that can be accessed only by a privileged process);
  5. Local permanent DoS attacks (causing the attacked device to be unusable; for example, the device is damaged permanently or can resume only through re-flashing the entire OS);
  6. Remote temporary DoS attacks (remote hang or reboot);
  7. Remote bypass of user interaction requirements (access to functions that usually require either user initiation or user permission);
  8. Local bypass of user interaction requirements for modifying security settings (such as Developer Options);
  9. Bypass of the security protection mechanism that separates the app data from other apps;
  10. Bypass of the security protection mechanism that separates users or user profiles from one another;
  11. Local bypass of user interaction requirements for installing an app package or an equivalent action;
  12. Lock screen bypass;
  13. Bypass of the device protection functions (such as the "Find My Phone" function);
  14. Bypass of the carrier's restrictions (such as SIM card lock);
  15. Bypass of the authentication mechanism to control OnePlus smart devices;
  16. Local acquisition of private user data through the AI model.

720-1440

Moderate

  1. Remote code execution in a constrained process;
  2. Local code execution in an unprivileged process;
  3. Bypass of the mitigation technology in a privileged process or in the TCB, ICE, or TEE;
  4. Bypass of restrictions on a constrained process;
  5. Bypass of restrictions on privacy password;
  6. Remote access to unprotected data (usually referring to all the data that can be accessed by locally installed apps);
  7. Local access to protected data (usually limited to the data that can be accessed only after a locally installed app requests and is granted access, or that can be accessed only by a privileged process);
  8. Local bypass of user interaction requirements without authentication (access to functions that usually require either user initiation or user permission);
  9. Plain text leakage vulnerability caused by the incorrect encryption algorithm model or incorrect implementation of the encryption algorithm;
  10. Bypass of the protection function for restoring factory settings;
  11. Targeted blocking of access to emergency services.

150-430

Low

  1. Local arbitrary code execution in a constrained process;
  2. Bypass of the mitigation technology in an unprivileged process.

30-70

 

  1. 4.Additional Rewards

We offer a reward as high as USD 14,400 for those who report especially significant security vulnerabilities.


  1. 5.Special Notes

    1. 5.1Concepts Involved in Mobile Phone Security Vulnerabilities

  • Remote: The attacker exploits vulnerabilities to launch an attack without installing the app concerned or without physical contact with the victim's device, such as by browsing web pages, reading SMS or MMS messages, receiving or sending emails, downloading files, or having wireless network communications (excluding communication with a distance of less than 10 cm).
  • Local: The attacker exploits vulnerabilities to launch an attack. This kind of attack needs relevant apps to be installed in the victim's system or the attacker needs physical contact with the victim's system and the communication distance must be less than 10 cm.
  • Constrained process: Such a process is subject to stricter permission restrictions than a normal app process, and runs in a strictly restricted domain such as SELinux or SEAndroid.
  • Normal app process: refers to an application or process running in the untrusted_app or platform_app domain of SELinux (or SEAndroid), such as a third-party application/process or built-in application/process without system-level permissions.
  • Privileged process: refers to an application or process running in the system_app of SELinux (or SEAndroid), such as a process running with system-level permissions or root permissions.
  • TCB: stands for Trusted Computing Base. It refers to all of a computer's protective devices, including hardware, firmware, software, and components that implement security policies. It ensures a basic protection environment and provides additional user services required by a trusted computer system, including but not limited to parts of the kernel and drivers, or user services equivalent to the kernel, such as init and vold.
  • TEE: stands for Trusted Execution Environment. It co-exists with the Android system on a device. It is mainly used to provide the Android system with a running environment for security services such as trusted computing and storage.
  • ICE: stands for Independent Computing Environment. It refers to a function- and service-focused set of independent computing units, firmware and simple OS, such as a baseband modem.

    1. 5.2Repeated Vulnerability Reports

  • Similar vulnerabilities in the same system should be reported in one package. These vulnerabilities share the same risk level, but the reward will be increased appropriately. If the vulnerabilities are reported separately, only the first report will be considered valid and the subsequent reports will be considered as repeated reports.
  • If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For similar vulnerabilities resulting from the same source, only the first one will be recorded and the remaining will be left out.
  • For similar web or app vulnerabilities in the same common component or SDK, only the first one will be recorded and the remaining will be left out.

    1. 5.3Zero-Day Vulnerabilities

  • The OneSRC accepts zero-day (also known as 0-day) vulnerabilities found only in OnePlus products and services.

    1. 5.4General Vulnerability Review Principles for Third-Party Products

  • Server-side vulnerabilities: including but not limited to vulnerabilities in the components of Tomcat and Apache being used by OnePlus, OpenSSL, and third-party SDKs. For a reported vulnerability which becomes publicly known within one month following report submission, if OnePlus has already received the vulnerability from another channel, OnePlus will give a FAIL result to the vulnerability report. If OnePlus remains unaware of the vulnerability one month after it is made public and the vulnerability remains in OnePlus's third-party products, OnePlus will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.
  • Client-side vulnerabilities: including but not limited to Android-native vulnerabilities and common app vulnerabilities. For a reported vulnerability which becomes publicly known within three months following report submission, if OnePlus has already received the vulnerability from another channel, OnePlus will give a FAIL result to the vulnerability report. If OnePlus remains unaware of the vulnerability three months after it is made public and the vulnerability remains in OnePlus's third-party products, OnePlus will reward the first vulnerability reporter. In general, this principle applies to low- and moderate-risk vulnerabilities.
  • For vulnerabilities resulting from the same source, in general only the first reporter will be rewarded and the vulnerabilities will be counted as one.
  • If several similar vulnerabilities exist in more than one parameter for the same URL, the vulnerabilities should be combined as appropriate. For different types of vulnerabilities in the same URL, only the reporter of the vulnerability that has the greatest impact will be rewarded.
  • Vulnerability reports should be as detailed and compliant as possible. The details of a reported vulnerability, its working principle and exploits, and fix recommendations affect the scoring of the vulnerability to some extent. For a reported vulnerability, the lack of PoC, exploit information, or analysis details will directly affect the scoring.
  • Reporting threats or intelligence already published online will be given no score.
  • The review results for a vulnerability are determined based on the level of difficulty in exploitation as well as the degree and scope of its impact.
  • Scanner results without proof of harm will be considered invalid.
  • If you use security testing as an excuse to exploit security intelligence to harm the interests of users, affect the normal operation of our services, publish information about vulnerabilities before they are fixed, or steal user data, you will receive no score. In addition, OnePlus will reserve the right to take legal action.

  1. 6.Payment of Rewards

  • In the first week of each month,OneSRC will conduct reward settlement for all reported vulnerabilities that are considered valid in the previous month, and announce the reward results on OneSRC website. Cash rewards will be paid within 20 working days. In the event of special circumstances, the payment may be postponed. We will be grateful for your understanding.
  • If the first week of a month is a statutory holiday (such as Chinese Spring Festival or National Day), the settlement date will be postponed to the next week. Likewise, the announcement and payment date will be postponed appropriately.
  • To receive a cash reward, the recipient needs to provide his or her Paypal account and Paypal name. The recipient shall provide authentic and valid personal information to ensure that the reward can be properly issued. OneSRC promises that all personal information reported by security researchers  will be used only for the purpose of issuing rewards, and will not be disclosed or used for any other purpose.

  1. 7.Dispute Handling

  • If you disagree with the vulnerability handling process, review, and scoring results, please send an email to security@oneplus.com. The OneSRC will handle the feedback by following the principle that reporters' interests come first. When necessary, the OneSRC will bring in external experts for a joint decision.
  • The OneSRC reserves the right to interpret this reward scheme to the extent permitted by law. We welcome suggestions from security researchers and reporters.

  1. 8.Prohibitions

OnePlus OnePlusses and condemns all hacking activities that use vulnerability testing as an excuse to exploit security vulnerabilities to harm users' interests. These activities include but are not limited to stealing user information, hacking production systems, modifying and stealing relevant system information, and maliciously spreading vulnerabilities or data. For the abovementioned behaviors, OnePlus will pursue legal support and hold relevant people accountable in accordance with law.


  1. 9.Non-participants

OnePlus employees (including both regular and outsourced employees) and their immediate family members cannot participate in this reward scheme.


  1. 10.Clause Interpretation

The OneSRC reserves the right to interpret all the above clauses.


ⓒ2013 - 2025 OnePlus. All Rights Reserved.