1Password Bug Bounty Program

Thanks for your interest in the 1Password bug bounty program! External security evaluations are an important step on our journey to make (and keep) 1Password the best and most secure password manager on the market.

Please Note: Program information for the $1 million Capture the Flag (CTF) Challenge is specific and outlined in CTF Challenge section below.

Get started

This isn’t an easy program — scanners are unlikely to help, and standard XSS-type injections won't yield much either. We need creative researchers who aren’t afraid to think outside the box. We're happy you're here.

Start with the 1Password Security Design white paper, and pay particular attention to the section titled Beware of the Leopard (page 68). It explains the decisions and considerations behind the 1Password security design. We’ve also created a tool to help you investigate 1Password.com requests and responses with your own session key.

Get help

• For information about the internal API, general questions, and to submit partial reports and theories, please send an email to bugbounty@agilebits.com so we can collaborate, provide support, and offer appropriate guidance.
• Assistance isn’t guaranteed for complex and/or time-consuming requests.
• We’ll accept flaw-hypothesis submissions without penalty, and work with you to develop a reasonable hypothesis when possible.

Capture The Flag Challenge

We introduced a $1 million CTF bug bounty challenge in 2022 to further our commitment to providing an industry-leading security platform for individuals, families, and businesses. Interested in participating? Join our dedicated BugCrowd program: https://bugcrowd.com/agilebits-ctf