MOney Big Million - IMage credit PublicDomainPictures / GlamazonPassword management platform, 1Password, has announced a US $1 million bug bounty. The bounty is available to anyone who discovers a serious flaw in 1Password’s platform. The company had previously offered $100,000. however, it has so far only resulted in a number of minor bugs being reported.

Jeff Shiner. CEO, 1Password (Image Credit: LinkedIn)
Jeff Shiner. CEO, 1Password

Jeff Shiner, CEO of 1Password, said, “No one should have to choose between safety and convenience, and we’re making this major investment to demonstrate our commitment to keeping 1Password customers secure.

“Increasing our bug bounty to $1 million will attract another layer of outside expertise to make sure our systems are as secure as possible. Together, we will deepen our security leadership so our customers can live their lives online with ease and confidence.”

The advantages of bug bounty schemes

Testing for vulnerabilities has become big business. There are a lot of organisations and individuals offering their services to find gaps in your security. 1Password says it regularly engages the security community to test the security of its products. It sees bug bounties as another way to engage with the wider security researcher community.

1Password offers its bounties through the Bugcrowd platform. So far, it has paid out $103,000 to researchers on the platform. It says that the average payout is $900. Interestingly, the company also revealed that over 800 researchers attempted to win the $100,000 it had on offer. As nobody had succeeded with that, the company has now raised that to $1 million.

Jake Moore, Cyber Security Specialist at ESET UK
Jake Moore, Cyber Security Specialist at ESET UK

According to  Jake Moore, Global Cyber Security Advisor at ESET, “Bug bounties are an indispensable way of continually testing the security of a given platform and can save organisations, whatever size, huge financial strains in the long run.

“Bug bounty schemes are a fantastic way of bringing in different skillsets to examine your security in a dynamic approach. Effectively, the widespread cybersecurity community can become a dedicated and distributed bunch of full time CISOs offering stronger and better protection. Increasing the pay outs is effective and helps this community – it even has the potential to persuade hackers to act on the right side of the law, although this remains a slow change.”

Bug bounties are not the only solution

As already mentioned, 1Password does not see bug bounties as the only way to validate the security of its software. In addition to its bug bounty offering, the company says it also has a number of other programmes in place. These include:

  • Conducting more than a dozen external penetration tests annually, the results of which are then released in full to the public.
  • Staffing protocols that ensure security-directed developers are always embedded within product development teams.
  • Security Ambassador Program to continuously train and develop security expertise in development teams.
  • Eyes of the Month program that rewards the employees that report the most impactful security issue of the month, routinely surfacing bugs that can only be found by those familiar with the subject matter and creating an ongoing educational forum to present learnings across the entire company.
  • Internal testing and review programs designed to strengthen the company’s strong culture of privacy and security.

Enterprise Times: What does this mean

This is a very bold move by 1Password. Upping its original $100,000 bug bounty to $1 million is going to get it attention. Hopefully, it is the sort of attention it wants. The question is, will someone be willing to offer more to a researcher in order not to disclose a serious bug in the 1Password platform? It is an approach used by several companies who exist solely to bank vulnerabilities that they then sell on to their customers, rarely the vendors.

In this case, 1Password seems justified in upping the ante. The failure of researchers to discover, or at least report they have discovered, a serious bug is good news. Let’s hope it can retain this level of security around its platform.


Please enter your comment!
Please enter your name here