[Skip to content]

Opera

This is what Opera.com looks like when you surf with your mobile!

You can surf on Opera.com with your mobile today. All you need to do is to download and install Opera Mini.

Opera Mini works on almost every phone, and it’s free!

View full site

Opera’s security policy

Opera is committed to your security, and we have a long and proven track record of fulfilling that committment. Below we take you through the process of how we handle security vulnerabilities when they are discovered and what steps we take to keep you, and others who are using our product, safe while online.

How we handle security reports

Security reports are always dealt with as a matter of the highest priority. When security reports are received, the potential threat is assessed as soon as possible. When a reported issue is identified as a security issue, the reporter is contacted. As is the industry convention, a disclosure date is agreed with the reporter.

A disclosure date is agreed on a case-by-case basis. Delay between report and disclosure allows a fix to be prepared and tested, and checked for any other related problems. At the same time, it ensures that users are not left with a publicized vulnerability, without any means to upgrade.

When and where necessary, the reporter may also be asked for more information about how to reproduce the issue. Occasionally, reports of possible security issues are found not to be about exploitable security issues. Where appropriate, the reporter will be contacted with an explanation of why we believe this is not a security issue.

How vulnerabilities are disclosed

On the date agreed with the reporter, a security advisory is issued by us. We publish details of the issue, our solution to the issue, and in most cases a recommendation to upgrade to the latest official release. Typically, this advisory release would coincide with the release of a new Opera version, and the changelog for that version would include a mention of the issue and a link to the corresponding advisory. The original reporter will usually be credited. An advisory will not usually explain how an issue may be exploited, but will contain enough information to identify a specific issue.

How Opera’s security group works

In addition to dealing with incoming reports, Opera’s security group proactively looks for potential security issues. When new technologies are considered or implemented, our security group assesses those technologies for possible security implications, and specifications and implementations may be changed accordingly.

After implementation and release, this effort continues. If issues are discovered, they are fixed, and the fix is released in a new Opera version. Where appropriate, the release changelog will mention the security fix, and an advisory may be issued.

How we rate security issues

When security agencies report an issue, they will typically include a severity rating, based on how easy it is to exploit the issue and the potential effects of a successful exploit. Examples include:

  • Crashers that prevent the application from restarting
  • Possibility to make one Web site appear to be another Web site
  • Ability to execute arbitrary code
  • Ability to read login information for other sites, or files on the user’s system

As the issue is investigated, more details may be discovered about the severity or ease of exploit. In some cases, we may find that the reporter has given the issue too high or too low a rating. This may mean that we give an updated rating, based on our own knowledge of the issue. This rating may also be revised following further investigation.

What if Opera is not the only application affected

Occasionally, we find that an issue affects applications released by other vendors. In these cases, if the original reporter has not contacted the other vendors, we may contact the affected vendors.

In these cases, the disclosure date may be delayed to give the other vendors time to issue their own patches. Web security depends on vendors cooperating to improve protection for all users. Publicly disclosing details of the vulnerability before the other vendors have had an opportunity to fix their applications would leave their users vulnerable. Security advisories will usually be released by vendors and the reporter on the new agreed date. If a patched release is issued earlier than this date, its changelog may not contain details of the vulnerability, but should contain a note saying that it is a security upgrade, and that more details will be added later.

Reporting security vulnerabilities

We prefer that security vulnerabilities are reported via our Bug tracking system, with "What kind of problem" set to "Security issue". If you need to add testcases or documents to the report, this can be done via an email address unique for each filed report.

It is also possible to report vulnerabilities via email to security (at) opera dot com.

Mails and attachments can be protected with PGP encryption using this PGP key.

More information

For more information on how to report security issues to Opera, please also see our Opera Labs article.

Opera changelogs.

More information