1Password

  • $50 – $30,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 166
  • Validation within 5 days 75% of submissions are accepted or rejected within 5 days
  • Average payout $475 within the last 3 months

Latest hall of famers

Recently joined this program

1Password Bug Bounty Program

Thanks for your interest in the 1Password bug bounty program! External security evaluations are an important step on our journey to make (and keep) 1Password the best and most secure password manager on the market.

Please Note: Program information for the $1 million Capture the Flag (CTF) Challenge is specific and outlined in CTF Challenge section below.

Get started

This isn’t an easy program — scanners are unlikely to help, and standard XSS-type injections won't yield much either. We need creative researchers who aren’t afraid to think outside the box. We're happy you're here.

Start with the 1Password Security Design white paper, and pay particular attention to the section titled Beware of the Leopard (page 68). It explains the decisions and considerations behind the 1Password security design. We’ve also created a tool to help you investigate 1Password.com requests and responses with your own session key.

Get help

  • For information about the internal API, general questions, and to submit partial reports and theories, please send an email to bugbounty@agilebits.com so we can collaborate, provide support, and offer appropriate guidance.
  • Assistance isn’t guaranteed for complex and/or time-consuming requests.
  • We’ll accept flaw-hypothesis submissions without penalty, and work with you to develop a reasonable hypothesis when possible.

Capture The Flag Challenge

We introduced a $1 million CTF bug bounty challenge in 2022 to further our commitment to providing an industry-leading security platform for individuals, families, and businesses. Interested in participating? Join our dedicated BugCrowd program: https://bugcrowd.com/agilebits-ctf

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.