Researchers offered record incentive for vulnerabilities found on Bugcrowd programs

Password manager 1Password has announced it has increased its maximum bug bounty reward to $1 million

UPDATED Password manager 1Password has announced it has increased its maximum bug bounty reward to $1 million, one of the highest potential payouts in the industry.

In a statement released today (March 10), the Toronto-based firm revealed it is offering the huge financial incentive, which is the current highest figure offered by programs managed by Bugcrowd.


Read more of the latest news about bug bounty programs


Jeff Shiner, CEO of 1Password, said: “Increasing our bug bounty to $1 million will attract another layer of outside expertise to make sure our systems are as secure as possible.

“Together, we will deepen our security leadership so our customers can live their lives online with ease and confidence.”

Previous payouts

Since beginning the bug bounty program in 2017, 1Password said it has paid out $103,000 to security researchers, averaging $900 per reward.

The company said that all detected bugs have been “minor” and showed “no threat to the secrecy of sensitive customer data”.

Researchers were previously offered a maximum payout of $100,000.

Ashish Gupta, CEO of Bugcrowd, said that the researcher community is “especially important today as hackers become savvier with their techniques and threats escalate from Russia”.

He added: “1Password has held our top bug bounty reward spot since 2017, and their new top prize of $1 million underscores their respect for the value our community provides.”

Dig deep

Adam Caudill, director of security at 1Password, told The Daily Swig that protecting customers is the main driver behind the increase.

“It’s our top priority, so we’ve put enough money on the table to give researchers a reason to dig deep and look for serious issues,” Caudill said. “If they exist, we want to know.”

He added: “We’ve looked at not only the bug bounty market, but also the offensive security market and studied what vulnerabilities and exploits sell for.

“Our goal is to set this bounty high enough that we are motivating researchers, as well as being the most profitable buyer for exploits in our products. If a researcher finds an issue, we want them to come to us, not a broker that will pass it on to adversarial parties.”


READ Coinbase security bug allowed users to steal unlimited cryptocurrency


Caudill earmarked logic issues as the most interesting finds, which “tend to be easy to overlook in development, review, and testing”.

He said: “Logic issues tend to be subtle, but can be extremely powerful, especially when you leverage mistaken assumptions by the developer. The most interesting issues tend to rely not on a single significant mistake, but build on a series of small mistakes that turn into something interesting when combined.”

Caudill added: “We’ve received a couple rather interesting submissions, and a single researcher has managed to claim nearly half of our total payouts to date by looking for issues like this.”

What to look for

He encouraged researchers to look out for these subtle issues, and especially subtle logic issues, to be within a chance of being awarded the $1 million bounty.

Caudill said: “Those are the hardest to catch (despite everyone’s best efforts) – it’s these issues that are most likely to result in finding something interesting.

“1Password has developed a reputation for being one of the hardest targets available, finding an issue with real security impact is a real challenge.”


This article has been updated to include comments from 1Password


YOU MAY ALSO LIKE Bug Bounty Radar // The latest bug bounty programs for March 2022