Since 2006, 1Password has been a trusted industry leader in managing and storing passwords and has always prioritized product security.

To reinforce their commitment to product security, AgileBits, the company behind 1Password, is launching their public bug bounty program!


Learnings from Their Private Program:

Last year, the AgileBits team launched their private program with Bugcrowd to encourage vulnerability disclosure and stay on top of security concerns and validate their security model. Their 2015 private bug bounty program focused on 1Password teams signups and infrastructure.

“We’ve always encouraged security researchers to poke around at 1Password,” says Jeffrey Goldberg of AgileBits. “As clever as we might think we are, there will always be things we miss that experienced outsiders will catch. By launching a public bug bounty program we make that encouragement official, but more importantly, we bring in an even wider range of talent to help us continually improve the security of 1Password.”

AgileBits Public Program:

Building upon their private program, this public launch includes an expanded scope to cover all of the server-side APIs. Additionally, this program includes White Box Testing features, allowing researchers to cut to the chase and attack the product more directly, with API documentation provided on a best-effort basis.

Program Brief:

In-Scope Targets:

Reward Range: $100 – $25,000

Note: the top $25,000 reward is for researchers who capture the designated flag. Visit their program brief to see all details.

Business and Family accounts are included in the program. As a member of the bugcrowd-test Business account, you will be testing the product as an unprivileged member of the bugcrowd-test account. If you wish to test the product as a privileged account member, you may also sign up for your own Business or Family account. All initial signups receive a free trial period that is at least 30 days long. Please be sure to sign up using your domain email address so we can track your account as part of the program.

AgileBits is committed to long-term testing and may extend active test accounts at its sole discretion. Visit their program brief to see all details.


We are happy to work with the AgileBits team in their commitment to product security and look forward to the work from the security research community on this challenging program. Please feel free to reach out to for additional questions.

Happy Hunting!