More than just a penny for your thoughts — $100,000 top bounty

We believe that we’ve designed and built an extremely secure password management system. We wouldn’t be offering it to people otherwise.  But we know that we – like everyone else – may have blind spots. That is why we very much encourage outside researchers to hunt for security bugs. Today we are upping that encouragement by raising the top reward in our bug bounty program.

bugcrowd-logoWe have always encouraged security experts to investigate 1Password, and in 2015 we added monetary rewards though Bugcrowd. This has been a terrific learning experience for both us and for the researchers. We’ve learned of a few bugs, and they’ve learned that 1Password is not built like the web services they are used to attacking. [Advice to researchers: Read the brief carefully and follow the instructions for where we give you some internal documentation and various hints.]

Since we started with our bounty program, Bugcrowd researchers have found 17 bugs, mostly minor issues during our beta and testing period. But there have been a few higher payout rewards that pushed up the average to $400 per bug. So our average payout should cover a researcher’s Burp Suite Pro license for a year.

So far none of the bugs represented a threat to the secrecy of user data, but even small bugs must be found and squashed. Indeed, attacks on the most secure systems now-a-days tend to involve chaining together a series of seemingly harmless bugs.

Capture the top flag to get $100,000

Capture the flag for $100,000

Our 1Password bug bounty program offers tiered rewards for bug identification, starting at $100. Our top prize goes to anyone who can obtain and decrypt some bad poetry (in particular, a horrible haiku) stored in a 1Password vault that researchers should not have access to. We are raising the reward for that from $25,000 to $100,000. (All rewards are listed in US dollars, as those are easier to transfer than hundreds or thousands of Canadian dollars worth of maple syrup.) This, it turns out, makes it the highest bounty available on Bugcrowd.

We are raising this top bounty because we want people really trying to go for it. It will take hard work to even get close, but that work can pay off even without reaching the very top prize: In addition to the top challenge, there are other challenges along the way. But nobody is going to get close unless they make a careful study of our design.

Go for it

Here’s how to sign-up:

  • Go to bugcrowd.com and set up an account.
  • Read the documentation on the 1Password bugcrowd profile
  • The AgileBits Bugcrowd brief instructs researchers where to find additional documentation on APIs, hints about the location of some of the flags, and other resources for taking on this challenge. Be sure to study that material.
  • Go hunting!

If you have any questions or comments – we’d love to hear from you. Feel free to respond on this page, or ping us an email at security@agilebits.com.

8 replies
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Thank you!

      Expert scrutiny from outside experts is pretty much essential to improving security. As defenders (my job title is “Chief Defender Against the Dark Arts) we try to think like attackers, but it is best to actually have skilled attackers go at it.

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Vincent,

      Nobody was able to capture and decrypt the first round Bad Poetry, but one very talented researcher was able to acquire it in encrypted form. It was a beautiful and insightful attack against our early authentication system, which I hope to get a chance to write about. (I was largely responsible for the bug he found in our implementation, and it involved solving an equation they way that one might wish to do in high school Algebra: Multiplying both sides by zero.)

      But we have designed 1Password so that even if you find an authentication bug, you cannot decrypt the data you might retrieve. I think that this helps illustrate the importance of end-to-end encryption. So although he got very far, he didn’t actually learn that first round Bad Poetry until we published it.

      Partial credit counts. We rewarded that fully even though he didn’t decrypt the Bad Poetry; his efforts very much helped us test and improve 1Password, and it was easily worth the cost of the bounty to find and fix my bug before the service went fully public. (And no, the boss did not take it out of my pay.) We need more researchers like him who are ready to study 1Password deeply and test our assumptions. That is why we have raised the bounty.

      The overwhelming majority of bugs reported and rewarded posed no threats to customer data, but involved things that should be tidied up anyway. For example, making sure that a Team owner can’t inject JavaScript into an invitation email or someone using our invitation emails to annoying messages or spam. Those were also good catches that needed to be addressed, but they were more about preventing our service being co-opted for abuse than about threats to 1Password data.

  1. Niall
    Niall says:

    The problem you’ll find is that very few (if any) suitable people will be willing to waste their time and effort doing this for free. 1Password won’t pay you unless you meet their strict criteria.

    Doing a good crypto audit can take months. Nobody worth their salt (excuse the pun) will have this much time on their hands … they’re all working as White Hat Hackers and getting paid for it.

    Crypto Guru Bruce Schneier wrote an excellent article: The Fallacy of Cracking Contests*.

    *https://www.schneier.com/crypto-gram/archives/1998/1215.html#contests

    Other experts have written about them too, saying that they’re a waste of time:

    https://moxie.org/blog/telegram-crypto-challenge/

    If the true experts can’t be bothered (because they’ve got mouths to feed and bills to pay) then you’re left with unsuitable people who aren’t going to discover the issues.

    What I’d like to know is why 1Password don’t pay for a proper, independent assessment and external audit of the product/service?

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Niall! I’m sorry for not getting back to you earlier.

      Comprehensive code reviews and bug bounty programs serve different, but overlapping, purposes. And when you have something a large as 1Password, along with how quickly it changes, there is an enormous difference in cost. We would gladly pay $100,000 to find a bug as substantial as the ability to read the Horrible Haiku. But we are less inclined to pay the same amount of money to undergo a long tedious process that may only find just a bunch of little things that can be improved upon. With the bug bounty, we pay small amounts for small problems, and big amounts for big problems.

      The advantages of bug bounties, in addition to cost savings, is that it is on-going. I can see from security/error logs some of the things people are trying every day. A code review is a one time thing, and by the time it would be complete it would be reporting of a version of 1Password that would be six months out of date.

      Now we do sometimes bring in outside people to study portions of our code. We want their expertise and external views to help see if we have done something wrong. But because those are not formal and comprehensive processes, the reviewers (correctly) don’t want to say that they have reviewed and approved. They only looked at particular parts (e.g., is our Encrypt-then-MAC authenticated encryption implementation correct? Are we calling crypto libraries properly? etc). They are free to look at everything, but doing so, and doing so systematically would be an enormous undertaking.

      So we really are trying to find the most bugs for the buck. But we don’t find it a good use of our time to try to explain to people who run static analysis that it is perfectly fine for us to use SHA1 for reading legacy data. We’ve chosen our program to help us get the most serious and helpful results. And at the moment, this bug bounty program is that.

  2. Andrew Hardy
    Andrew Hardy says:

    It’s hard to tell without joining the program and spending time digging into the details, but on the surface it sounds like this boiled down to “break into some of our systems (oh, AND CRACK AES-256) to win $100,000”.

    Was it possible to get access to the poetry without finding flaws in the encryption algorithms that cryptographers have devised, or were all the keys necessary to decrypt the poetry stored (protected in some other way) somewhere on 1Password systems that were within scope for this challenge? If not, it seems like the $100,000 bounty could mislead people into believing their passwords are safer in 1Password than they actually are.

    From what we know, nation states with billions of dollars to throw at cracking AES-256 etc. haven’t been able to do it. It’s not the encryption algorithms that should be of concern to your users, it’s all the rest of the system. Ultimately what we care about is whether there are ANY flaws that could expose our passwords (or our entire vaults!). Those flaws are virtually certainly going to be in the rest of the system, so excluding those parts of the system from the $100,000 prize would mean it has very little to do with 1Password’s security as a whole.

    Reply
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Andrew! You are of course right that the ability to break AES is worth far more than a meager $100,000. It would be world changing. But it isn’t AES that we are trying to test here. It is everything from the key management (how those AES keys are handled) to details of our specific implementations. A system isn’t automatically as secure as AES just because it uses AES; it has to use it correctly.

      So if we have designed 1Password well and if we have implemented that design properly then capturing and decrypting the Horrid Haiku should be as hard as breaking AES; but it is those “if”s that we are testing.

      By the way, this should also serve as a reminder that just because something correctly advertises itself as “secured with AES 256 bit encryption” that they are talking about the strongest part of the system. But attackers are going to go after the weaker parts. And so we are inviting people to look for weak spots. As system designers, it is nice to know that the strongest parts of the system are phenomenally strong, but our focus must be on strengthening potentially weaker parts of a system. And so we offer a nice incentive for people to try to find such spots.

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *