1Password Offers $100k Bounty to Crack its Security

In a show of either confidence in its own security or eagerness to ensure the integrity of its system, developer AgileBits has quadrupled the highest bounty for finding bugs within its password manager 1Password to a whopping $100,000. While 1Password managed to escape Cloudflare’s Cloudbleed fault last month, despite using the system, the new bounty suggests an imperative on behalf of AgileBits not to get caught out in a similar way.

“We believe that we’ve designed and built an extremely secure password management system,” Jeffrey Goldberg of AgileBits writes. “We wouldn’t be offering it to people otherwise.  But we know that we – like everyone else – may have blind spots. That is why we very much encourage outside researchers to hunt for security bugs. Today we are upping that encouragement by raising the top reward in our bug bounty program.”

“Our 1Password bug bounty program offers tiered rewards for bug identification, starting at $100,” Goldberg explains. “Our top prize goes to anyone who can obtain and decrypt some bad poetry (in particular, a horrible haiku) stored in a 1Password vault that researchers should not have access to. We are raising the reward for that from $25,000 to $100,000. (All rewards are listed in US dollars, as those are easier to transfer than hundreds or thousands of Canadian dollars worth of maple syrup.) This, it turns out, makes it the highest bounty available on Bugcrowd.”

Here’s how to get involved:

• Go to bugcrowd.com and set up an account.
• Read the documentation on the 1Password bugcrowd profile.
• The AgileBits Bugcrowd brief instructs researchers where to find additional documentation on APIs, hints about the location of some of the flags, and other resources for taking on this challenge. Be sure to study that material.
• Go hunting!

The 1Password Bugcrowd campaign is on-going until further notice.