Keeper Security Public Bounty Program

  • $150 – $4,500 per vulnerability
  • Partial safe harbor
  • Managed by Bugcrowd

Program stats

92 vulnerabilities rewarded

Validation within 2 days
75% of submissions are accepted or rejected within 2 days

$150 average payout (last 3 months)

Latest hall of famers

Recently joined this program

225 total

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Keeper Security is transforming the way businesses and individuals protect their passwords and sensitive digital assets to significantly reduce cyber theft. Keeper is SOC 2 Certified, ISO 27001 Certified and utilizes best-in-class encryption to safeguard its customers. Keeper Security is committed to the industry best practice of responsible disclosure of potential security issues.


Guidelines:

This Vulnerability Disclosure Policy sets out expectations when working with good-faith hackers,
as well as what you can expect from us.

If security testing and reporting are done within the guidelines of this policy, we:

  • Consider it to be authorized in accordance with Computer Fraud and Abuse Act,
  • Consider it exempt from DMCA, and will not bring a claim against you for bypassing any security or technology controls,
  • Consider it legal, and will not pursue or support any legal action related to this program against you,
  • Will work with you to understand and resolve the issue quickly, and
  • Will recognize your contributions publicly if you are the first to report the issue and we make a code or configuration change based on the issue. If at any time you are concerned or uncertain about testing in a way that is consistent with the Guidelines and Scope of this policy, please contact us before proceeding. To encourage good-faith security testing and disclosure of discovered vulnerabilities, we ask that you:
  • Avoid violating privacy, harming user experience, disrupting production or corporate systems, and/or destroying data,
  • Perform research only within the scope set out below, and respect systems and activities which are out-of-scope,
  • Contact us immediately if you encounter any user data during testing,
  • Use the identified communication channels to report vulnerability information to us and,
  • Keep information about any vulnerabilities you’ve discovered confidential until we’ve resolved them.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd
Vulnerability Rating Taxonomy
.
However, it is important to note that in some cases a vulnerability priority will be modified due
to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed
explanation will be provided to the researcher - along with the opportunity to appeal, and make
a case for a higher priority.


Note: To unwrap and display Vault <> Server communication, open the developer tools and type:
enableNetworkLog()
This will allow you to see the request/response to the server in JSON

On the Admin Console, the command to log additional request/response is:
api.shouldLog=true


VRT Changes:

  • Any submissions stemming from throttling or spam testing will be rated as a P4.

Any domain/property of Keeper Security not listed in the targets section is out of scope. This
includes any/all subdomains not listed above.

Reward range

Last updated

Technical severity Reward range
p1 Critical $3,500 - $4,500
p2 Severe $2,000 - $3,500
p3 Moderate $500 - $750
p4 Low $150 - $200
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type Tags
Keeper Security Website (keepersecurity.com | .eu) Website Testing
  • Website Testing
  • Bootstrap
  • ReactJS
  • Moment.js
  • jQuery
Keeper Password Manager for iOS iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
  • Binary Analysis
Keeper Password Manager for Android Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
  • Binary Analysis
Keeper Desktop Application for Mac and PC Other
  • Desktop Application Testing
Keeper Password Manager for Windows Store Other
  • Desktop Application Testing
  • Windows
KeeperFill Browser Extension (Chrome, Safari, Firefox, Edge, IE) Other
  • Browser Extension
Keeper Backend API (Keeper Commander) Other
  • API Testing
KeeperChat for iOS iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
  • Binary Analysis
KeeperChat for Android Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
  • Binary Analysis
KeeperChat for Windows Other
  • Binary Analysis
  • Windows
KeeperChat for Mac Other
  • Binary Analysis
  • macOS
https://keepersecurity.com/vault/ Website Testing
  • Website Testing
  • ReactJS
  • jQuery
https://keepersecurity.eu/vault Website Testing
  • Website Testing
  • ReactJS
  • jQuery
https://keepersecurity.com/en_US/console (Admin Console) Website Testing
  • Website Testing
  • Lodash
https://keepersecurity.eu/console (Admin Console EU) Website Testing
  • Website Testing
  • Lodash
https://keepersecurity.com/password-manager-free-trial.html (Keeper Enterprise Product) Website Testing
  • Website Testing
  • Bootstrap
  • ReactJS
  • Moment.js
  • jQuery
Keeper® Password Manager & Digital Vault Website Testing
  • Browser Extension
  • Website Testing

Any domain/property of Keeper Security not listed in the targets section is out of scope. This includes any/all subdomains not listed above.


Target Info

Web Applications

  • Web Vault (US): Here
  • Web Vault (EU): Here
  • Admin Console (US): Here
  • Admin Console (EU): Here

KeeperFill Browser Extensions

  • Chrome, Safari, Firefox, Edge, IE11: Here
  • All of the extensions use the same codebase except for IE11. Furthermore, we will only accept submissions from version 14.4.0 or greater.

Keeper SSO Connect

  • Sign up: Here
  • Once you've visited this page, click on Request Free Trial, then for the Company field, please use the string Bugcrowd Testing don't call me!
  • Once you're logged into the admin console here click Configuration, then enable Node Structure.
  • Add a node entry underneath your account, then Provisioning, then Add Method, then click on the words Single Sign-On (SAML 2.0), name your SSO connection, and a link will appear to download SSO Connect

Access/Credentials:

Please sign up for an account using your @bugcrowdninja.com email address. For more info regarding @bugcrowdninja email addresses, see here.


Additional Notes

Please keep in mind as you test the targets (particularly the websites) are production systems;
as such, please abstain from running automated tools against contact forms, etc. Manual
testing is highly encouraged and recommended in such places and situations where it looks like the form may submit to a human or team on the other end.

To unwrap and display Vault <> Server communication, open the developer tools and type:
enableNetworkLog()

This will allow you to see the request/response to the server in JSON

On the Admin Console, the command to log additional request/response is:
api.shouldLog=true

Also note that Keeper device approval can be configured to use IP-based approval. To turn this on or off, visit the Vault settings screen.


Focus Areas:

  • Authentication bypass
  • Device approval bypass
  • Bugs in customer-facing web applications and APIs
  • Bugs in desktop applications or mobile apps
  • Bugs in third-party assets used by Keeper's web applications
  • Cross-site request forgery
  • Cross-site scripting (XSS)
  • Privilege escalation
  • Information disclosure
  • Remote code execution
  • Timing or enumeration attacks that have a tangible risk to security or privacy

Out-of-Scope

  • Spam or Email Spoofing
  • Bugs that rely on keylogging, compromise of the operating system or privileged access
  • Legacy or unsupported versions of apps
  • Rate limit testing
  • Please note, any kind of attacks where the only victim is yourself, IE: Self XSS of a profile picture or information that doesn't show anywhere else, are now out of scope. You must provably show that the attacks can be referenced by another user.

Documentation on the Keeper platform is linked below:

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.