1Password Bug Bounty Program
Thanks for your interest in the 1Password bug bounty program! External security evaluations are an important step on our journey to make (and keep) 1Password the best and most secure password manager on the market.
Please Note: Program information for the $1 million Capture the Flag (CTF) Challenge is specific and outlined in CTF Challenge section below.
This isn’t an easy program — scanners are unlikely to help, and standard XSS-type injections won't yield much either. We need creative researchers who aren’t afraid to think outside the box. We're happy you're here.
Start with the 1Password Security Design white paper, and pay particular attention to the section titled Beware of the Leopard (page 68). It explains the decisions and considerations behind the 1Password security design. We’ve also created a tool to help you investigate 1Password.com requests and responses with your own session key.
- For information about the internal API, general questions, and to submit partial reports and theories, please send an email to firstname.lastname@example.org so we can collaborate, provide support, and offer appropriate guidance.
- Assistance isn’t guaranteed for complex and/or time-consuming requests.
- We’ll accept flaw-hypothesis submissions without penalty, and work with you to develop a reasonable hypothesis when possible.
Capture The Flag Challenge
We introduced a $1 million CTF bug bounty challenge in 2022 to further our commitment to providing an industry-leading security platform for individuals, families, and businesses. Interested in participating? Join our dedicated BugCrowd program: https://bugcrowd.com/agilebits-ctf
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email email@example.com. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.