1Password CTF Bug Bounty Program

Introduction

This program is strictly dedicated to our $1 million CTF, all other submissions that do not result in capturing the flag will be considered out of scope. AgileBits/1Password introduced a $1 million CTF bug bounty challenge in 2022 to further our commitment to providing an industry-leading security platform for individuals, families, and businesses.

Program highlights

Gold Standard Safe Harbor — Adheres to Gold Standard Safe Harbor. https://docs.hackerone.com/en/articles/8494525-gold-standard-safe-harbor-statement

Collaboration Enabled — Includes Retesting

Rewards

Target: https://bugbounty-ctf.1password.com/

This version of Capture the Flag is unique. There are no known vulnerabilities that will award you access to the flag; there's no starting point, nor a guaranteed reward. You should only be submitting to the program if you believe you have captured the flag or are close to capturing the flag. Only valid submissions that detail the steps used to capture the flag are eligible to earn the $1 million reward.

Scope Exclusions

Core Ineligible Findings are out of scope. https://docs.hackerone.com/en/articles/8494488-core-ineligible-findings

Platform Standards Deviations

This program has not committed to the following Platform Standards:

• Multiple reports on systemic vulnerabilities — Multiple reports to capture the flag that result from the same systematic issue will only be eligible for the $1 million bounty for the first report.
• Severity rating for insecure direct object references (IDORs) with unpredictable IDs
• Evaluation and payment for bypassing previously resolved vulnerabilities
• Severity rating for vulnerable network connection in client applications
• Severity rating for leakage of sensitive personally identifiable information
• Severity rating for vulnerabilities involving a self-sign-up flow
• Third-party components: for programs consuming the component

Overview

AgileBits/1Password introduced a $1 million CTF bug bounty challenge in 2022 to further our commitment to providing an industry-leading security platform for individuals, families, and businesses.

This program is strictly dedicated to the $1 million CTF. If you're interested in conducting general security research against all areas of the 1Password product, check out the main bug bounty program: https://hackerone.com/1password

Getting Started

The target (flag): Bad poetry in the form of secure note.

The location: A dedicated Bug Bounty CTF account (https://bugbounty-ctf.1password.com).

Send an email to [email protected] and include your HackerOne username. You'll receive access to the Bug Bounty CTF account that contains more information. If you were a researcher from the previous bug bounty platform, you do not need to resubmit for a new user; you can continue to use your existing user on the dedicated Bug Bounty CTF account.

You should only be submitting to the program if you believe you have captured the flag or are close to capturing the flag. Only valid submissions that detail the steps used to capture the flag are eligible to earn the $1 million reward. All other submissions will be marked as "Not Applicable" and the researcher will lose points.

Disclosure Policy

• Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• Follow HackerOne's disclosure guidelines.

Resources & Support

Start with the 1Password Security Design White Paper, and pay particular attention to the section titled "Beware of the Leopard" (page 68). It explains the decisions and considerations behind the 1Password security design.

A tool to investigate 1Password requests and responses with your own session key is available.

Restrictions:

• We don't accept or permit phishing, malware, or compromising 1Password member accounts.

Support:

• For information about the internal API, general questions, and to submit partial reports and theories, email [email protected] so we can collaborate, provide support, and offer appropriate guidance.
• We're happy to answer general questions via email but won't provide direct assistance to capture the flag.
• Assistance isn't guaranteed for complex and/or time-consuming requests.
• Access to the Bug Bounty CTF account is intentionally limited to the scope of the CTF competition. A different account is recommended for general bug bounty program research.