LastPass

  • Points – $5,000 per vulnerability
  • Managed by Bugcrowd

Program stats

230 vulnerabilities rewarded

Validation within 5 days
75% of submissions are accepted or rejected within 5 days

$414.28 average payout (last 3 months)

Latest hall of famers

Recently joined this program

893 total

Our business is keeping customer information both private and secure.

We respect the communities desires as well and are happy to help validate issues you think you may have found or suspect and will reward found issues that you suspect are present but can not prove.

We do allow for permanent LastPass enterprise trials for researchers, mention you're testing with Bugcrowd and how you'd like to test for an extended period when signing up for it: https://lastpass.com/enterprise

Reward Guidelines

This program adheres to the Bugcrowd Vulnerability Rating Taxonomy for the rating/prioritization of findings.

Exclusions

  • !NEW! Issues regarding e-mail verification at registration. Temporarily it is introduced for user acceptance testing and not as a real security enhancement.
  • 2nd factor not being necessary when logging into your local offline cache of your data (see bottom of https://helpdesk.lastpass.com/multifactor-authentication-options/google-authenticator/)
  • Seeing shared password by changing DOM manually
  • Username/email enumeration -- we allow this intentionally everywhere, but it's also limited and blocked after a low number of attempts. If you found somewhere that's not true it would be in scope.
  • Attacks that require jailbroken / rooted devices to implement, though if you have ways to work around the issue you find we may be interested.
  • Application Denial of Service by locking user accounts.
  • Sharing issues that ignore the notes posted here regarding their accessibility: https://support.logmeininc.com/lastpass/help/use-the-sharing-center-lp020007#InitiatingPasswordShare
  • Weak password choice
  • Modification of headers, URLs, POST body content, server responses by MITM attacks.
  • Note that vast majority of PayPal attacks are false positives : your premium expiry date is prorated based on your purchase amount.
  • Webview related issues.

Reward Range

Last updated
Technical severity Reward range
p1 Critical $2,200 - $5,000
p2 Severe $600 - $2,000
p3 Moderate $150 - $500
p4 Low Up to: $100
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type
https://lastpass.com Other
LastPass browser extensions Other
Local computer apps, e.g. OS X App, Window App, Windows/Mac Installers Other
iOS Mobile app iOS
Android mobile app Android
LastPass Authenticator iOS app iOS
LastPass Authenticator Android app Android

Out of scope

Target name Type
https://helpdesk.lastpass.com/ Website
https://enterprise.lastpass.com/ Website
https://forums.lastpass.com/ Website
https://blog.lastpass.com/ Website
Windows Phone app Other
LastPass Authenticator Windows Phone app Other
Lastpass cli tool Other

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.

This bounty requires explicit permission to disclose the results of a submission.