Please note: This is NOT an easy web target (for instance, running scanners is unlikely to help you here, and standard XSS-type injections won't yield much either). That said, 1Password is committed to helping you succeed on this program. To this end, they've setup a researcher vault with additional, helpful information, that requires you opt-in to receive an invite. You can opt-in by emailing firstname.lastname@example.org with your Bugcrowd username, and you'll be provisioned account access to the vault where 1Password provides supplemental information for testing against the application - including documentation on real issues that were recently found (so as to give direction towards where more issues may be present) and more.
Only capturing the unencrypted "bad poetry" flag is eligible for the $100k reward. See below for more details.
Last updated 16 Aug 2018 22:05:42 UTC
Technical severity | Reward range
p1 Critical | Up to: $5,000
p2 Severe | Up to: $1,000
p3 Moderate | Up to: $200
p4 Low | Up to: $100
P5 submissions do not receive any rewards for this program.
Target name | Type
<Your own 1Password subdomain --> https://<your account
domain>.1password.com/ | Other
<Account (Business, Family) signup page --> https://start.1password.com |
<White Box Test team --> https://bugcrowd-test.1password.com | Other
Target name | Type
*.agilebits.com | Website
All other subdomains, except your account-specific (Business or Family) subdomain and the white box testing team subdomain listed above, are out of scope.
There are two ways you can authenticate to the application:
When submitting, please be sure to include email credentials and all recent IPs.
Note: Server-side APIs are the focus area for this program. Please contact email@example.com for assistance in getting your guest membership in "bugcrowd-test" approved as quickly as possible. White box testing materials are available through that team. Additionally, this program may require use of a Mac OS X or iOS device for some tasks where full Android and Window support is not yet available.
If you have something that you feel is close to exploitation, or if you'd like some information regarding the internal API, or generally have any questions regarding the app that would help in your efforts, please create a submission and ask for that information.
Furthermore, 1Password wishes to facilitate a white-box testing environment as best they can - to this end, if you have any questions regarding the workings of the application, or requests for information on the API, you're encouraged to email them at firstname.lastname@example.org.
1Password will also accept flaw-hypothesis submissions, without penalty, and will work with you to develop a reasonable hypothesis into a working exploit, should one be possible.
1Password remembers your passwords for you — and helps you make them stronger. All your secrets are secure and always available, safe behind the one password that only you know.
With 1Password for Teams , you have full control over who has access to your most important information. It's never been so easy to share the simple security of 1Password with everyone. Additional information can be found here.
This program focuses on teams signups and basic infrastructure, and has expanded to cover all of the server-side APIs. It is our intention that this program include White Box Testing features, allowing researchers to cut to the chase and attack the product more directly, with API documentation provided on a best-effort basis.
1Password has included REST API documentation , including the URI, method and parameters for a number of interfaces. Additional APIs may be requested, on a best-effort basis.
The guest vault includes information needed to attempt to "Capture The Bad Poetry" as well as an item which is set to be read-only so that researchers may attempt an unauthorized item modification. See the "Researchers" vault for more details.
Two account types -- Business and Family -- are included in the program. As a member of the bugcrowd-test Business account, you will be testing the product as an unprivileged member of the bugcrowd-test account. If you wish to test the product as a privileged account member, you may also sign up for your own Business or Family account. All initial signups receive a free trial period that is at least 30 days long. Please be sure to sign up using your bugcrowdninja.com domain email address so we can track your account as part of the program. Additionally, AgileBits may, at its sole discretion, extend your account as you continue to make submissions as part of the program. Please contact email@example.com to extend your free account as you continue to make submissions in this program. Happy Bug Hunting!!!
Rate limiting - There is rate limiting present on the application, so be careful in running scanners or anything that might send an excessive number of requests and add additional waiting to your testing. For this program we request that you submit flaw hypotheses for any enumeration vulnerabilities you believe you have found.
Design decisions- while we are always willing to entertain discussions about design decisions, please understand that the design has been extensively reviewed by our internal team as well as external reviewers.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.
Contact us if you want more information.