Our customers are leaders when it comes to security; they understand the value of harnessing the power of the crowd and the creativity of thousands of researchers that think like the adversary. Password manager technology 1Password is no exception.
At Bugcrowd we often highlight the importance of providing fair rewards to the crowd. This is why we have provided an outline on “what a bug’s worth” – it’s absolutely essential to align expectations between researchers and program owners. 1Password understands this and have scoped their program in accordance with this guide. However, in addition to standard bugs, some organizations have set up “capture the flag” challenges to incentivize researchers to focus on specific areas. Knowing the complexity of breaking in as well as the real security implications if someone in the wild were able to do it, capture the flag contests often net much more than a P1 or critical vulnerability.
1Password has one of these high-reward “capture the flags” within their scope. To earn this a researcher needs to secure access to the unencrypted "bad poetry" stored in a 1Password vault – something researchers should not have access to. Up until today this was prized at $25,000, but today they have decided to increase this reward to $100,000.
“Security is at the heart of what we do,” said Jeff Shiner of AgileBits. “We owe it to our customers to do everything in our power to keep them and their information secure. This means using the ingenuity of real people to help us continually improve the security of 1Password. It was important for us to demonstrate how seriously we take this contribution and have increased the prize to prove it.”
The highest potential prize on our platform, 1Password’s 100K capture the flag represents the importance that 1Password places on the security of their platform. With events like the recent Cloudbleed, it’s likely we will begin to see more companies placing renewed emphasis on security, and for those that aren’t already, looking to the power of the crowd to achieve it.