Opera: What should I do after discovering browser security vulnerabilities?

Chinese people have discovered that security vulnerabilities in IE browsers are everywhere. Due to the early disclosure of vulnerability information, hundreds of millions of users around the world are exposed to various potential attacks.
The translation of a document about the Opera security policy just found may be helpful to the vulnerability researchers, although the article is about the content of the relevant Opera, however, it includes all industry practices for browser security vulnerability processing. Discovering a vulnerability is your ability to properly handle the discovered vulnerability. The full text is as follows (some Opera-related information is deleted, focusing on industry practices. We refer to the Opera team in this article ):

The full English text is in:
Http://www.opera.com/security/policy/

How to handle security reports
Security issues always have the highest priority. When we receive a security report, we will assess potential threats as soon as possible. When identified as a security issue, we will immediately contact the reporter. As an industry practice, the reporter agrees to accept a date for the publication of questions.

The publication date is determined by the actual situation. Prior to the publication, there will be time to prepare and test the repair and check for any other problems. At the same time, this ensures that users are not affected by public security vulnerabilities without any upgrade means.

If necessary, the reporter will also be asked how to reproduce the details of the problem. Sometimes, possible security problems are discovered as vulnerabilities that are not usable. If appropriate, we will contact the reporter and inform us of the specific explanation we do not consider as a security issue.

How to publish Security Vulnerabilities

We will release security suggestions on the date agreed by the reporter. At the same time, we will announce the problem details and solutions for this problem. In most cases, we recommend you upgrade the latest official version. In general, this suggestion will be released at the same time as the new Opera version. The change log of this version will mention the problem and provide a link to the suggestion. The initial reporter is generally thanked. A security suggestion usually does not explain how to use the problem for attack, but provides enough information to identify the problem.

 

Security Question rating

When security agencies report a problem, they generally include severity ratings, which are based on the difficulty and potential hazards of attack vulnerabilities. Examples include:
-Application crashes and cannot be restarted.
-Make a website possible to disguise another website
-Ability to execute arbitrary code
-Ability to read login information from other sites and files on the user's system

In the process of investigating the problem, we will find more information on the difficulty of using the problem for attacks. In some cases, we may find that the reporter has rated the problem too high or too low. This may mean that we will update the issue rating based on our understanding of the issue. The rating may be changed during further investigation in the future.

If Opera is the only affected Program

We occasionally find that a problem affects applications of other providers. In this case, if the initial reporter did not contact the application provider, we may contact the affected vendor.

In such cases, the publication date may be postponed until affected vendors release their own patches. Network Security relies on vendor cooperation to protect all users. Before the vendor has the opportunity to fix the vulnerability, the vulnerability details will put users at risk. Security recommendations are often released by reporters and vendors on new dates. If the repaired version has been released before, its change log may not contain details about the vulnerability, but it should contain instructions indicating that this is a security update, and then add more details.