100K Bounty Header

More than just a penny for your thoughts — $100,000 top bounty

We believe that we’ve designed and built an extremely secure password management system. We wouldn’t be offering it to people otherwise.  But we know that we – like everyone else – may have blind spots. That is why we very much encourage outside researchers to hunt for security bugs. Today we are upping that encouragement by raising the top reward in our bug bounty program.

bugcrowd-logoWe have always encouraged security experts to investigate 1Password, and in 2015 we added monetary rewards though Bugcrowd. This has been a terrific learning experience for both us and for the researchers. We’ve learned of a few bugs, and they’ve learned that 1Password is not built like the web services they are used to attacking. [Advice to researchers: Read the brief carefully and follow the instructions for where we give you some internal documentation and various hints.]

Since we started with our bounty program, Bugcrowd researchers have found 17 bugs, mostly minor issues during our beta and testing period. But there have been a few higher payout rewards that pushed up the average to $400 per bug. So our average payout should cover a researcher’s Burp Suite Pro license for a year.

So far none of the bugs represented a threat to the secrecy of user data, but even small bugs must be found and squashed. Indeed, attacks on the most secure systems now-a-days tend to involve chaining together a series of seemingly harmless bugs.

Capture the top flag to get $100,000

Capture the flag for $100,000

Our 1Password bug bounty program offers tiered rewards for bug identification, starting at $100. Our top prize goes to anyone who can obtain and decrypt some bad poetry (in particular, a horrible haiku) stored in a 1Password vault that researchers should not have access to. We are raising the reward for that from $25,000 to $100,000. (All rewards are listed in US dollars, as those are easier to transfer than hundreds or thousands of Canadian dollars worth of maple syrup.) This, it turns out, makes it the highest bounty available on Bugcrowd.

We are raising this top bounty because we want people really trying to go for it. It will take hard work to even get close, but that work can pay off even without reaching the very top prize: In addition to the top challenge, there are other challenges along the way. But nobody is going to get close unless they make a careful study of our design.

Go for it

Here’s how to sign-up:

  • Go to bugcrowd.com and set up an account.
  • Read the documentation on the 1Password bugcrowd profile
  • The AgileBits Bugcrowd brief instructs researchers where to find additional documentation on APIs, hints about the location of some of the flags, and other resources for taking on this challenge. Be sure to study that material.
  • Go hunting!

If you have any questions or comments – we’d love to hear from you. Feel free to respond on this page, or ping us an email at security@agilebits.com.

4 replies
    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Thank you!

      Expert scrutiny from outside experts is pretty much essential to improving security. As defenders (my job title is “Chief Defender Against the Dark Arts) we try to think like attackers, but it is best to actually have skilled attackers go at it.

    • Jeffrey Goldberg
      Jeffrey Goldberg says:

      Hi Vincent,

      Nobody was able to capture and decrypt the first round Bad Poetry, but one very talented researcher was able to acquire it in encrypted form. It was a beautiful and insightful attack against our early authentication system, which I hope to get a chance to write about. (I was largely responsible for the bug he found in our implementation, and it involved solving an equation they way that one might wish to do in high school Algebra: Multiplying both sides by zero.)

      But we have designed 1Password so that even if you find an authentication bug, you cannot decrypt the data you might retrieve. I think that this helps illustrate the importance of end-to-end encryption. So although he got very far, he didn’t actually learn that first round Bad Poetry until we published it.

      Partial credit counts. We rewarded that fully even though he didn’t decrypt the Bad Poetry; his efforts very much helped us test and improve 1Password, and it was easily worth the cost of the bounty to find and fix my bug before the service went fully public. (And no, the boss did not take it out of my pay.) We need more researchers like him who are ready to study 1Password deeply and test our assumptions. That is why we have raised the bounty.

      The overwhelming majority of bugs reported and rewarded posed no threats to customer data, but involved things that should be tidied up anyway. For example, making sure that a Team owner can’t inject JavaScript into an invitation email or someone using our invitation emails to annoying messages or spam. Those were also good catches that needed to be addressed, but they were more about preventing our service being co-opted for abuse than about threats to 1Password data.

Leave a Reply

Want to join the discussion?
Feel free to contribute!

What's on your mind?