1Password Raises ‘Capture The Flag’ Bug Bounty To $100,000

1Password Demo Vault

AgileBits, the company behind one of the most popular password managers, 1Password, announced that it increased its maximum bug bounty from $25,000 to $100,000. This big reward is part of a “Capture the Flag” type competition, where researchers have to obtain a plaintext file of “bad poetry” from 1Password’s password vault.


Bugcrowd is a crowdsourced bug bounty platform that allows companies to easily set-up programs to reward security researchers for their findings. This makes it easier for researchers to get paid for their work, and it also encourages them to further explore the security of various software tools. Companies such as Western Union, Pinterest, Heroku, Tesla, and Fiat Chrysler all use the Bugcrowd platform.

1Password’s Capture The Flag

Some organizations create “Capture the Flag” challenges on Bugcrowd to incentivize researchers to focus on specific areas. Normally, researchers are rewarded smaller amounts of money for random bugs they may find in vendors’ products. However, when the companies create a Capture the Flag challenge, they are better prepared and the challenge is more specific, which makes it more difficult for the researchers to break in. This is why the companies also tend to offer bigger rewards to the winners.

AgileBits had previously set up a $25,000 bug bounty for a Capture the Flag challenge in which researchers had to obtain a “bad poetry” flag from the encrypted password vault. Now the company has raised the reward to $100,000, which is four times as much as before, and is also the highest existing reward on the Bugcrowd platform.

“Security is at the heart of what we do,” said Jeff Shiner of AgileBits. “We owe it to our customers to do everything in our power to keep them and their information secure. This means using the ingenuity of real people to help us continually improve the security of 1Password. It was important for us to demonstrate how seriously we take this contribution and have increased the prize to prove it,” he noted.

Recently, a researcher found multiple vulnerabilities in a number of password managers, including 1Password. However, according to an update on March 1, all vendors have already fixed the bugs, which should include 1Password as well.

AgileBits also said that with recent events such as Cloudbleed, it’s becoming more and more important for companies to put more emphasis on security. Having a good bug bounty program can be one of the ways to do that, because they can help companies stay one step ahead of the attackers.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.