A note regarding rewards:

  • Only capturing the unencrypted "bad poetry" flag is eligible for the $25k reward (see below for more details).
  • All other findings will be prioritized as per the Bugcrowd vulnerability rating taxonomy - with P1 findings rewarded at $5k.

Please note that: this is NOT an easy web target (for instance, running scanners is unlikely to help you here, and standard XSS-type injections won't yield much either). That said, 1Password is committed to helping you succeed on this program. To this end, they've setup a researcher vault with additional, helpful information, that requires you opt-in to receive an invite. You can opt-in by emailing julie@agilebits.com with your Bugcrowd username, and you'll be provisioned account access to the vault where 1Password provides supplemental information for testing against the application - including documentation on real issues that were recently found (so as to give direction towards where more issues may be present) and more.

Furthermore, 1Password wishes to facilitate a white-box testing environment as best they can - to this end, if you have any questions regarding the workings of the application, or requests for information on the API, you're encouraged to email them at julie@agilebits.com.

1Password has included REST API documentation, including the URI, method and parameters for a number of interfaces. Additional APIs may be requested, on a best-effort basis. 1Password will also accept flaw-hypothesis submissions, without penalty, and will work with you to develop a reasonable hypothesis into a working exploit, should one be possible.

1Password remembers your passwords for you — and helps you make them stronger. All your secrets are secure and always available, safe behind the one password that only you know.

With 1Password for Teams, you have full control over who has access to your most important information. It's never been so easy to share the simple security of 1Password with everyone.

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at AgileBits. Every day new security issues and attack vectors are created. AgileBits strives to keep abreast of the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

This program focuses on teams signups and basic infrastructure, and expand to cover all of the server-side APIs. It is our intention that this program include White Box Testing features, allowing researchers to cut to the chase and attack the product more directly, with API documentation provided on a best-effort basis.

The guest vault includes information needed to attempt to "Capture The Bad Poetry" (if one is able to capture the bad poetry, there's a set reward amount of $25,000) - as well as an item which is set to be read-only so that researchers may attempt an unauthorized item modification. See the "Researchers" vault for more details.

Two account types -- Business and Family -- are included in the program. As a member of the bugcrowd-test Business account, you will be testing the product as an unprivileged member of the bugcrowd-test account. If you wish to test the product as a privileged account member, you may also sign up for your own Business or Family account. All initial signups receive a free trial period that is at least 30 days long. Please be sure to sign up using your bugcrowdninja.com domain email address so we can track your account as part of the program. Additionally, AgileBits may, at its sole discretion, extend your account as you continue to make submissions as part of the program. Please contact julie@agilebits.com to extend your free account as you continue to make submissions in this program. Happy Bug Hunting!!!

Note: Server-side APIs are the focus area for this program. Please contact support+bugcrowd@1password.com for assistance in getting your guest membership in "bugcrowd-test" approved as quickly as possible. White box testing materials are available through that team. Additionally, this program may require use of a Mac OS X or iOS device for some tasks where full Android and Window support is not yet available.

Note: the $25,000 top reward is only for the capture of the bad poetry 'flag' -- more information for this is contained within the researcher's vault on the application.


In scope

All other subdomains, except your account-specific (Business or Family) subdomain and the white box testing team subdomain listed above, are out of scope.


There are two ways you can authenticate to the application:
- via the Bugcrowd test team (you must request an invite by sending a request to julie@agilebits.com) [note that this is the only area where you can access information regarding the 'bad poetry' flag and internal api documentation, etc]
- via your own team account (this can be created by registering your own account [you MUST use your username@bugcrowdninja.com email address])

1Password wants to help you!

If you have something that you feel is close to exploitation, or if you'd like some information regarding the internal API, or generally have any questions regarding the app that would help in your efforts, please create a submission and ask for that information. As stated above, 1Password wants to help you find bugs, and is more than willing to help.

Note: There is rate limiting present on the application, so be careful in running scanners or anything that might send an excessive number of requests and add additional waiting to your testing. For this program we request that you submit flaw hypotheses for any enumeration vulnerabilities you believe you have found.

Note: The following is worth reading to give more context into the application:


Regarding design decisions: while we are always willing to entertain discussions about design decisions, please understand that the design has been extensively reviewed by our internal team as well as external reviewers.

The following list of focus areas uses "Teams" to refer to all two account types -- Business and Family. Both account types are included in this program.

Focus Areas:

  • Teams website
    • Static marketing web pages under teams.1password.com
  • Team (Business and Family) signup process
    • Team owner
    • Team members
    • Including guest members
  • Sign in / authentication
  • Teams web application
    • Vaults must be created through the Teams web application
    • All vault and user management must be performed through the Teams web application.
    • Admin Console
    • Vault creation and sharing
    • Team member invitation and approval
      • Assign new team members to vaults
    • Owners, admins and recovery
    • Guest user invitation and removal
    • User removal
    • Account recovery
    • Selected vault view
    • View vault items as ordinary user
      • See Native apps section
    • Repeat as Admin user
      • May be able to see more vaults
      • Cannot see other users' personal vaults
    • Repeat as Guest user
      • Should only have access to specific vaults
      • No personal vault
      • Restricted permissions
    • Repeat as suspended user
      • Cached data may be available for some period of time
      • No new back-end server requests should be honored
  • Native apps (Android 5.0+, iOS, OS X, Windows)
    • Item creation through native applications
    • Item deletion through native applications
    • Item updates through native applications
    • Item sharing / copying through the native applications

Out of Scope:

  • Standard out of scope information
  • Headers used to maintain session state (Session ID)
  • Scheduled infrastructure changes
  • DDoS/DoS attacks
    • Enumeration attacks require prior notification and approval
  • agilebits.com website is out of scope completely.

The following finding types are specifically excluded from the bounty:

  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled
  • HTTPS Mixed Content Scripts
  • Username / email enumeration
    • via Login Page error message
    • via Forgot Password error message
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP
    • Content-Security-Policy-Report-Only
  • SSL Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack
    • SSL Forward secrecy not enabled
    • SSL weak / insecure cipher suites
    • Rate-limiting HTTP response codes (429)

Out of Scope bugs for Android apps

  • Any bugs which do not compromise account, user, vault or item security
  • Any bugs which require use of a debugger or hardware tools to recreate

Out of Scope bugs for iOS apps

  • Any bugs which do not compromise account, user, vault or item security
  • Any bugs which require use of a debugger or hardware tools to recreate

Out of Scope bugs for Windows (all versions)

  • Any bugs which do not compromise account, user, vault or item security
  • Any bugs which require use of a debugger or hardware tools to recreate

Out of Scope bugs for Mac OS X

  • Any bugs which do not compromise account, user, vault or item security
  • Any bugs which require use of a debugger or hardware tools to recreate

Out of Scope bugs for Other operating systems

  • Any bugs which do not compromise account, user, vault or item security
  • Any bugs which require use of a debugger or hardware tools to recreate
  • Any bugs caused by operating system virtualization or emulation

Note: the $25,000 top reward is only for the capture of the bad poetry 'flag' -- more information for this is contained within the researcher's vault on the application.

Priority Criticality Description Reward amount (*up to)
P1 CRITICAL Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples: Remote Code Execution, Vertical Authentication bypass, XXE, SQL Injection, User authentication bypass. $5000
P2 HIGH Vulnerabilities that affect the security of the platform including the processes it supports. Examples: Lateral authentication bypass, some Stored XSS (depending on impact), some CSRF depending on impact. $500
P3 MEDIUM Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples: Reflective XSS, Direct object reference, some Stored XSS (depending on impact), URL Redirect, some CSRF depending on impact. $200
P4 LOW Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples: Common flaws, Debug information, Mixed Content. $100
P5 BIZ ACCEPTED RISK Non-exploitable weaknesses in functionality and “won’t fix” vulnerabilities. Examples: Best practices, mitigations, issues that are by design or deemed acceptable business risk to the customer such as use of CAPTCHAS, Code Obfuscation, SSL Pinning, etc. No Reward


This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.