LastPass is further deepening their commitment to application security and adding cash rewards up to $1,000 for the LastPass bounty program! As of 1600 GMT today, LastPass is now offering cash rewards from $50 to $1,000 for valid first to find vulnerabilities submitted through their Bugcrowd bounty program.
LastPass is a web and mobile password manager and form filler which locally encrypts your sensitive data with a key that is not sent to LastPass. Their clients include leading e-commerce and financial brands like Amazon, HSBC, Dell, American Express, and Yahoo. Millions of users rely on their applications every day; ensuring the security of their users is a priority to LastPass.
Rewards for LastPass vulnerability submissions:
P1 - CRITICAL Vulnerabilities that cause a privilege escalation on the platform from unprivileged to admin, allows remote code execution, financial theft, etc. Examples: Remote Code Execution, Vertical Authentication bypass, XXE, SQL Injection, User authentication bypass. $1000
P2 - HIGH Vulnerabilities that affect the security of the platform including the processes it supports. Examples: Lateral authentication bypass, Stored XSS for another user, some CSRF depending on impact. $500
P3 - MED Vulnerabilities that affect multiple users, and require little or no user interaction to trigger. Examples: Reflective XSS, Direct object reference, URL Redirect, some CSRF depending on impact. $250
P4 - LOW Issues that affect singular users and require interaction or significant prerequisites (MitM) to trigger. Examples: Common flaws, Debug information, Mixed Content. $50
P5 - BIZ ACCEPTED RISK Non-exploitable weaknesses in functionality and “won’t fix” vulnerabilities. Examples: Best practices, mitigations, issues that are by design or deemed acceptable business risk to the customer such as use of CAPTCHAS, Code Obfuscation, SSL Pinning, etc. Kudos Points only
Please refer to the bounty brief for official program scope and reward guidelines