Bountytalk - Forums Advertising & Bounty Hub
Other Bounties => Bug bounty programs => Topic started by: Angelina on April 27, 2023, 05:07:24 pm
-
Submit bug report: https://bugcrowd.com/agilebits-ctf
1Password Bug Bounty Program
Thanks for your interest in the 1Password bug bounty program! External security evaluations are an important step on our journey to make (and keep) 1Password the best and most secure password manager on the market.
Please Note: Program information for the $1 million Capture the Flag (CTF) Challenge is specific and outlined in CTF Challenge section below.
Get started
This isn’t an easy program — scanners are unlikely to help, and standard XSS-type injections won't yield much either. We need creative researchers who aren’t afraid to think outside the box. We're happy you're here.
Start with the 1Password Security Design white paper, and pay particular attention to the section titled Beware of the Leopard (page 68). It explains the decisions and considerations behind the 1Password security design. We’ve also created a tool to help you investigate 1Password.com requests and responses with your own session key.
Get help
For information about the internal API, general questions, and to submit partial reports and theories, please send an email to bugbounty@agilebits.com so we can collaborate, provide support, and offer appropriate guidance.
Assistance isn’t guaranteed for complex and/or time-consuming requests.
We’ll accept flaw-hypothesis submissions without penalty, and work with you to develop a reasonable hypothesis when possible.
Capture The Flag Challenge
We introduced a $1 million CTF bug bounty challenge in 2022 to further our commitment to providing an industry-leading security platform for individuals, families, and businesses. Interested in participating? Join our dedicated BugCrowd program: https://bugcrowd.com/agilebits-ctf
Additional Information
Download the latest stable version of 1Password or find the Beta versions detailed in our release notes.
If you’re interested in testing our nightly build, you can install the nightly release as follows:
Open and unlock 1Password.
Click your account or collection at the top of the sidebar and choose Settings.
Click Advanced, then set “Release channel” to Nightly.
Updates will be installed automatically when “Install updates automatically” is turned on.
Note: Issues found in nightlies may be evaluated differently than issues found in a stable release.
General exclusions
1Password won’t accept submissions or reports for:
Scheduled infrastructure changes
DDoS/DoS attacks
Enumeration attacks require prior notification and approval
Multifactor Authentication (MFA)
Any attack that requires root access
Rate limiting bypass using IP rotation
We may reject reports of bugs that meet these criteria, or downgrade priority to the lowest tier (P5):
Bugs that don’t compromise account, user, vault, or item security
Bugs that require direct memory access or dynamic instrumentation
Bugs caused by operating system virtualization or emulation
Bugs that depend on memory dumps or tools that read active or cached memory
Commonly reported and excluded issues
We receive a number of common issue reports when new researchers are added to the program. These issues have been reviewed numerous times and reached the conclusion that the product design is what we want it to be, or that they are inapplicable based on the published White Paper.
SPF/DKIM and other email forgery protection - SPF/DKIM and other mechanisms are designed to offer hints to spam filters on receiving systems. In particular SPF pass or fail is not a very reliable indicator of authenticity or forgery. As such there is a fair amount of variation in how both senders and receivers may wish to configure it. Although we welcome suggestions and opinions about its tuning, we do not consider disagreements about that as “bugs”.
Disclosure of Session Tokens and UUIDs - As explained in the Security Design Whitepaper, UUIDs are not sensitive within the 1Password ecosystem
Product notes
With 1Password you only ever need to memorize one password. All your other passwords and important information are protected by your Account Password, which only you know.
1Password is available for individuals, families, and teams. Take a tour, learn about 1Password security, or browse 1Password Support.
Program rules
Automated requests/scanning must be kept to under 45 requests per minute.
Scanners (and anything that sends an excessive number of requests) will add wait time to your tests due to the rate limiting that is in place.
Only detailed reports with reproducible steps are considered valid and eligible for reward.
Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
The first valid report we receive will be rewarded in the event of duplication.
Multiple vulnerabilities caused by a single issue will be awarded one bounty.
Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
Only interact with accounts you own or for which you have explicit permission from the account holder.
Contact us to report tests that may cause a spike in errors or disrupt service so we can discuss other options.
Safe harbor
1Password considers applicable research to be:
Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and will not initiate or support legal action for accidental, good faith violations of this policy.
Exempt from the Digital Millennium Copyright Act (DMCA), and will not bring a claim against you for circumvention of technology controls.
Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and waive the restrictions on a limited basis for applicable work.
Lawful, helpful to overall internet security, and conducted in good faith. You’re expected to comply with all applicable laws.
If you have concerns or questions about your ability to comply with this policy, please submit a report through an official channel.
Additional information
We’ll always consider feedback about design decisions but ask that you understand 1Password has been extensively reviewed by our internal team and external audits.