|Scope Type||Scope Name|
|android_application||Android mobile app|
|android_application||LastPass Authenticator Android app|
|ios_application||iOS Mobile app|
|ios_application||LastPass Authenticator iOS app|
|other||LastPass browser extensions (Chrome / Safari / Edge / Firefox)|
|other||Local computer apps (UWP application / Windows installer (MSI))|
Out of Scope
|Scope Type||Scope Name|
|android_application||LastPass MFA Android App|
|ios_application||LastPass MFA iOS app|
|other||Windows Phone app|
|other||LastPass Authenticator Windows Phone app|
|other||Lastpass CLI tool|
LastPass is helping people achieve effortless security, at home and in the workplace. As our business and personal worlds intersect on an increasing scale in our cloud-centric world, a strong foundation of secure authentication and access is critical to keeping systems, data, and assets safe. As a secure password manager trusted by millions of consumers and tens of thousands of companies worldwide, LastPass is designed to safely store passwords and grant access to the technology and services they rely on every day.
A core mission at LastPass is to keep customer information both private and secure. We appreciate your contribution to help us improve the security of our product. When valid reports are found, we offer rewards proportionate with the severity of the issue for eligible discovered issues.
After preliminaryl validation of eligibility from Bugcrowd, LastPass program owners will move forward with the assessment of the submission. We may ask for more information and work with the reporter to reproduce, validate and mitigate the issue properly.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority may be modified due to its likelihood or impact based on LastPass product decision.
If your report is determined to be valid and in scope, it will be moved to the Unresolved state and you will receive your reward according to the Reward Range section.
LastPass appreciates the contributions made by the research community and understands that transparency is an important aspect to raising awareness and improving computer security. We will be happy to help you share your findings if you follow the conditions mentioned in Bugcrowd’s standard disclosure terms. Additionally, we ask that you do not disclose any details about the reported vulnerability until the fix is completed and marked "Resolved". After that, please provide the draft of your publication plan for our review. Details of this process can be discussed through the Bugcrowd submission’s comment section.
It is important to note that any information you receive or collect about LastPass, its engineers or customers through this program must be kept confidential, only shared on “as needed” basis, and is not allowed to be published or externally distributed unless it was previously discussed and accepted during the review process.
For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal and make a case for a higher priority. Please see below for any deviations from the standard VRT.
In-Scope items are listed in the Program Scope section as In-Scope items.
Anything not explicitly defined “In-Scope” is by default “Out-of-Scope”, including (but not limited to) the items listed in the Program Scope section as Out-of-Scope.
Testing is only authorized on the targets listed as In-Scope. If you believe you've identified a vulnerability on a system outside the scope, please reach out to email@example.com before submitting.
Links that are indexed by Google and/or url scan sites. Sometimes these links can affect customer data but only for a short period of time. These can appear due to manual scans done by users or by virus scanners and may stay indexed for a period of time.
Two-Factor Authentication (2FA) not being necessary for page load autofill from loading the user’s local offline cache. If the user’s account settings permit offline access for 2FA and if the user has previously logged into the machine, offline mode will override 2FA and allow the web browser to run page load autofill. This will not happen if the login is done on a new device.
Attacks against endpoints which enable username enumeration or brute forcing of credentials (for example login forms) when those endpoints already have reasonable rate limits in place. Distributed attacks using multiple IP addresses are also excluded.
Denial of service, spam, or phishing attacks. These attacks are considered abusive and can harm our customers.
Limitations around sharing which are documented on our website. Sharing has technical limitations so please check the description of explicitly mentioned ones on.
Attacks that rely on/have as a prerequisite successfully placing a man in the middle between our servers and the client. We take precautions in order to make these attacks difficult or infeasible (e.g. using HTTPS exclusively), but some aspects are out of our control and thereby excluded from eligibility.
“Missing” security practices without a realistic attack scenario (e.g. missing HTTP headers, missing certificate pinning) or in general questioning design decisions. While we are always evaluating and make reasonable efforts to consider security standards and emerging “best” practices, we expect that your submission contains a descriptive attack scenario with real impact to our users, as opposed to recommendations based on emerging, novel, or unnecessary practices.
Please ensure your submission describes a realistic attack scenario that could present a risk to our users and/or their data, even if the scenario includes something that is considered out of scope, as noted above. In that case, we will consider the submission to be eligible for the Bugcrowd bounty.
Last updated 24 Aug 2018 17:55:14 UTC
Technical severity | Reward range
p1 Critical | $2,200 - $5,000
p2 Severe | $600 - $2,000
p3 Moderate | $150 - $500
p4 Low | Up to: $100
P5 submissions do not receive any rewards for this program.
Target name | Type
<https://lastpass.com> | Website
LastPass browser extensions (Chrome / Safari / Edge / Firefox) | Other
Local computer apps (UWP application / Windows installer (MSI)) | Other
iOS Mobile app | iOS
Android mobile app | Android
LastPass Authenticator iOS app | iOS
LastPass Authenticator Android app | Android
Target name | Type
<https://support.logmeininc.com/lastpass> | Website
<https://forums.lastpass.com/> | Website
<https://blog.lastpass.com/> | Website
Windows Phone app | Other
LastPass Authenticator Windows Phone app | Other
Lastpass CLI tool | Other
<https://idaas.lastpass.com/> | Website
LastPass MFA Android App | Android
LastPass MFA iOS app | iOS
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.
This bounty requires explicit permission to disclose the results of a submission.