Our business is keeping customer information both private and secure.

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at LastPass. Every day new security issues and attack vectors are created. LastPass strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We appreciate the community's efforts in creating a more secure world.

We respect the communities desires as well and are happy to help validate issues you think you may have found or suspect and will reward found issues that you suspect are present but can not prove.

We do allow for permanent LastPass enterprise trials for researchers, mention you're testing with bugcrowd and how you'd like to test for an extended period when signing up for it: https://lastpass.com/enterprise


In scope

  • Local computer apps, e.g. OS X App, Window App, Windows/Mac Installers
  • Mobile apps: iOS, Android, Windows Phone
  • LastPass browser extensions
  • https://lastpass.com


  • 2nd factor not being necessary when logging into your local offline cache of your data (see bottom of https://helpdesk.lastpass.com/multifactor-authentication-options/google-authenticator/)

  • Network level Denial of Service (DoS/DDoS) vulnerabilities.

  • Findings from physical testing such as office access (e.g. open doors, tailgaiting).

  • Findings derived primarily from social engineering (e.g. phishing, vishing, smishing).

  • Findings from applications or systems not listed in the ‘Targets’ section.

  • Functional, UI and UX bugs and spelling mistakes.

  • Username/email enumeration -- we allow this intentionally everywhere, but it's also limited and blocked after a low number of attempts. If you found somewhere that's not true it would be in scope.

  • Attacks that require jailbroken / rooted devices to implement, though if you have ways to work around the issue you find we may be interested.

  • Non main domain issues are not in scope e.g.: https://helpdesk.lastpass.com/ https://enterprise.lastpass.com/ https://forums.lastpass.com/ https://blog.lastpass.com/ are not included.

  • Application Denial of Service by locking user accounts.

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.

  • Disclosure of known public files or directories, (e.g. robots.txt).

  • CSRF on forms that are available to anonymous users (e.g. the contact us form, the create account page, the forgot password page, etc.).

  • Reusing or absence of CSRF tokens that are non-session based (ie: user logged out of their account)

  • Login/Logout Cross-Site Request Forgery (login CSRF / logout CSRF).

  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.

  • Lack of Secure and HTTPOnly cookie flags on our lang cookie

  • Lack of Security Speedbump when leaving the site.

  • OPTIONS / TRACE HTTP method enabled

  • SSL Attacks such as BEAST, BREACH, Renegotiation attack

  • Sharing issues that ignore the notes posted here regarding their accessibility: https://helpdesk.lastpass.com/sharing/

  • Weak password choice

  • Modification of headers, URLs, POST body content, server responses by MITM attacks.

  • Note that vast majority of PayPal attacks are false positives : your premium expiry date is prorated based on your purchase amount.


This bounty follows Bugcrowd’s standard disclosure terms.

This bounty requires explicit permission to disclose the results of a submission.

The following finding types are specifically excluded from the bounty:
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- Login Page / Forgot Password Page Account Brute force or account lockout not enforced.
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- Self-XSS and issues exploitable only through Self-XSS.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password