1Password

  • Points – $15,000 per vulnerability
  • Up to $100,000 maximum reward
  • Safe harbor
  • Managed by Bugcrowd

Program stats

82 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

$1,080 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Program details
Thanks for your interest in the 1Password bug bounty program! We're happy you're here.
Our goal is to make 1Password as secure as possible and we see that ongoing process as a team effort. External security evaluations are an important part of the process and make 1Password a better, safer product. We need researchers who can think creatively, and work 'outside the box', to find security bugs.
We use scope to point people to what we want tested. Out of scope targets can receive rewards, but they are at our discretion.
This is not an easy program. For example, running scanners is unlikely to help you here, and standard XSS-type injections won't yield much either. But we want to help.
Doing our part
1Password is committed to helping you succeed in this program, so we've set up a researcher vault with additional helpful information. To receive an invitation to the vault, opt in by emailing support+bugcrowd@agilebits.com with your Bugcrowd username; you'll be provisioned account access to the 1Password vault where we provide supplemental information for testing. This includes documentation on real issues that were recently found (which may provide direction toward more issues) and more.
If you believe you've found something close to exploitation, but aren't quite there yet, we are happy to answer any questions you have that could help you further your theory. Note that some requests may not be answered unless documentation already exists, depending on the complexity. In other words, we'll make a good faith effort to help you, but understand that complex or very time-consuming requests do not come with any guarantee of help.
Where to start
Our White Paper is your guide. It explains our security decisions and several considerations. At the very least, please read the Beware of the Leopard section (page 52).
Capture the flag
The 'flag' you're after is a note in the white box testing account that contains bad poetry. But our version of Capture the Flag is unlike others. There are no known vulnerabilities that will award you access to the bad poetry; there is no starting point, and it's not a game with a guaranteed reward.
Phishing, malware, and anything that involves tricking or compromising a 1Password member's account are not allowed.
We are happy to answer general questions and to help you understand 1Password, but we will not provide any direct assistance to assist with capturing the 'flag'.
We want to hear from you
We love feedback about our bug bounty program and documentation; we appreciate any comments about how we might improve our approach.

Please note: This is NOT an easy web target (for instance, running scanners is unlikely to help you here, and standard XSS-type injections won't yield much either). That said, 1Password is committed to helping you succeed on this program. To this end, they've setup a researcher vault with additional, helpful information, that requires you opt-in to receive an invite. You can opt-in by emailing support+bugcrowd@agilebits.com with your Bugcrowd username, and you'll be provisioned account access to the vault where 1Password provides supplemental information for testing against the application - including documentation on real issues that were recently found (so as to give direction towards where more issues may be present) and more.

Reward Guidelines

Only capturing the unencrypted "bad poetry" flag is eligible for the $100k reward. See below for more details.

Reward range

Last updated

Technical severity Reward range
p1 Critical Up to: $15,000
p2 Severe Up to: $3,000
p3 Moderate Up to: $300
p4 Low Up to: $150
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type Tags
<Your own 1Password subdomain --> https://<your account domain>.1password.com/ Other
  • Moment.js
  • Lodash
<Account (Business, Family) signup page --> https://start.1password.com Other
  • Moment.js
  • Lodash
<White Box Test team --> https://bugcrowd-test.1password.com Other

Out of scope

Target name Type
*.agilebits.com Website Testing

All other subdomains, except your account-specific (Business or Family) subdomain and the white box testing team subdomain listed above, are out of scope.

Credentials:

There are two ways you can authenticate to the application:

  • via the Bugcrowd test team (you must request an invite by sending a request to support+bugcrowd@agilebits.com) [note that this is the only area where you can access information regarding the 'bad poetry' flag and internal api documentation, etc]
  • via your own team account (this can be created by registering your own account [you MUST use your username@bugcrowdninja.com email address])

When submitting, please be sure to include email credentials and all recent IPs.

Note: Server-side APIs are the focus area for this program. Please contact support+bugcrowd@1password.com for assistance in getting your guest membership in "bugcrowd-test" approved as quickly as possible. White box testing materials are available through that team. Additionally, this program may require use of a Mac OS X or iOS device for some tasks where full Android and Window support is not yet available.

Focus Areas:

  • Teams website
    • Static marketing web pages under teams.1password.com
  • Team (Business and Family) signup process
    • Team owner
    • Team members
    • Including guest members
  • Sign in / authentication
  • Teams web application
    • Vaults must be created through the Teams web application
    • All vault and user management must be performed through the Teams web application.
    • Admin Console
    • Vault creation and sharing
    • Team member invitation and approval
      • Assign new team members to vaults
    • Owners, admins and recovery
    • Guest user invitation and removal
    • User removal
    • Account recovery
    • Selected vault view
    • View vault items as ordinary user
      • See Native apps section
    • Repeat as Admin user
      • May be able to see more vaults
      • Cannot see other users' personal vaults
    • Repeat as Guest user
      • Should only have access to specific vaults
      • No personal vault
      • Restricted permissions
    • Repeat as suspended user
      • Cached data may be available for some period of time
      • No new back-end server requests should be honored
  • Native apps (Android 5.0+, iOS, OS X, Windows)
    • Item creation through native applications
    • Item deletion through native applications
    • Item updates through native applications
    • Item sharing / copying through the native applications

General Exclusions:

  • Headers used to maintain session state (Session ID)
  • Scheduled infrastructure changes
  • DDoS/DoS attacks -MFA -Any attack requiring root access
    • Enumeration attacks require prior notification and approval

Excluded bugs for Android, iOS, Windows, and macOS apps

  • Any bugs which do not compromise account, user, vault or item security
  • Any bugs which require use of a debugger or hardware tools to recreate
  • Any bugs which depend on memory dumps or tools that read active or cached memory

Excluded bugs for Other operating systems

  • Any bugs which do not compromise account, user, vault or item security
  • Any bugs which require use of a debugger or hardware tools to recreate
  • Any bugs caused by operating system virtualization or emulation
  • Any bugs which depend on memory dumps or tools that read active or cached memory

1Password wants to help you!

If you have something that you feel is close to exploitation, or if you'd like some information regarding the internal API, or generally have any questions regarding the app that would help in your efforts, please create a submission and ask for that information.

Furthermore, 1Password wishes to facilitate a white-box testing environment as best they can - to this end, if you have any questions regarding the workings of the application, or requests for information on the API, you're encouraged to email them at support+bugcrowd@agilebits.com.

1Password will also accept flaw-hypothesis submissions, without penalty, and will work with you to develop a reasonable hypothesis into a working exploit, should one be possible.


Product Notes:

1Password remembers your passwords for you — and helps you make them stronger. All your secrets are secure and always available, safe behind the one password that only you know.

With 1Password for Teams, you have full control over who has access to your most important information. It's never been so easy to share the simple security of 1Password with everyone. Additional information can be found here.

This program focuses on teams signups and basic infrastructure, and has expanded to cover all of the server-side APIs. It is our intention that this program include White Box Testing features, allowing researchers to cut to the chase and attack the product more directly, with API documentation provided on a best-effort basis.

1Password has included REST API documentation, including the URI, method and parameters for a number of interfaces. Additional APIs may be requested, on a best-effort basis.

The guest vault includes information needed to attempt to "Capture The Bad Poetry" as well as an item which is set to be read-only so that researchers may attempt an unauthorized item modification. See the "Researchers" vault for more details.

Two account types -- Business and Family -- are included in the program. As a member of the bugcrowd-test Business account, you will be testing the product as an unprivileged member of the bugcrowd-test account. If you wish to test the product as a privileged account member, you may also sign up for your own Business or Family account. All initial signups receive a free trial period that is at least 30 days long. Please be sure to sign up using your bugcrowdninja.com domain email address so we can track your account as part of the program. Additionally, AgileBits may, at its sole discretion, extend your account as you continue to make submissions as part of the program. Please contact support+bugcrowd@agilebits.com to extend your free account as you continue to make submissions in this program. Happy Bug Hunting!!!

Other Notes

Rate limiting - There is rate limiting present on the application, so be careful in running scanners or anything that might send an excessive number of requests and add additional waiting to your testing. For this program we request that you submit flaw hypotheses for any enumeration vulnerabilities you believe you have found.

Design decisions- while we are always willing to entertain discussions about design decisions, please understand that the design has been extensively reviewed by our internal team as well as external reviewers.

Program Rules

  • Automated requests/scanning must be kept to under 45 requests per minute.
  • Please provide detailed reports with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.
  • Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  • When duplicates occur, we only award the first report that was received (provided that it can be fully reproduced).
  • Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
  • If you believe your testing may cause a spike in errors or potentially disrupt service please get in touch with us first so we can discuss less disruptive options first (support+bugcrowd@1password.com).

Safe Harbor

When conducting vulnerability research against this program, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith. You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.