Raising the stakes: Doubling the rewards on our bug bounty program

Raising the stakes: Doubling the rewards on our bug bounty program

Rick van Galen by Rick van Galen on

At 1Password, we’re always striving to make our products and services as secure as possible, and we couldn’t do it without your help. To say thanks, we’re increasing our bug bounty rewards.

Since day one, we’ve encouraged everyone to reach out to us with suggestions around how we could improve 1Password security. Though our team works hard every day to design and build the most secure password manager there is, that doesn’t mean we don’t have blind spots. That’s why we’ve worked with Bugcrowd since 2017 to be able to reward researchers who point us towards anything we might have missed. When a researcher finds something we’ve overlooked, we want to hear from them, and reward them for their efforts.

In the last few years we’ve rewarded more than one hundred submissions to our Bugcrowd program, with an average reward payout of over $800 (USD). While our $100,000 (USD) top bounty remains unclaimed, we find enormous value in the reports we get at the other levels. The creativity on display in some of the reports, even if they’re minor issues, is amazing. We’re excited to announce today that we’re doubling the maximum rewards for researchers at those levels. This means researchers can be rewarded up to $300 (USD) for small suggestions, and up to $30,000 (USD) for the highest priority bugs below the top bounty.

Ready to dive in?

1Password has many layers of defense to protect customer data from prying eyes at all times. As a result, even just taking a glance at the security of 1Password services requires a serious time investment. That’s why we are also open sourcing a tool for security researchers to make it easier to dive in and start testing 1Password. This allows anyone familiar with Burp Suite – a tool commonly used to assess the security of web applications and APIs – to easily take a closer look.

Want to get involved? Here’s how:

  1. Go to bugcrowd.com and set up an account.
  2. Read the documentation on the 1Password Bugcrowd profile
  3. Read the AgileBits Bugcrowd brief to find additional documentation on APIs, hints about the location of some of the flags, and other resources, as well as the Burp Suite plugin.
  4. Get started!

Security Engineer

Rick van Galen - Security Engineer Rick van Galen - Security Engineer

Tweet about this post