AgileBits, the developer behind 1Password, just upped the ante for bug hunters, putting up $100,000 for anyone who can break into a 1Password vault and obtain a plain text file full of “bad poetry.”
Previously, the “capture the flag” bug bounty was a mere $25,000, but in order to push security researchers to find vulnerabilities in the 1Password platform — and to demonstrate its effectiveness — AgileBits raised the bounty fourfold.
The bug bounty is up on BugCrowd, a platform for crowdsourcing bug hunts, where companies can easily reward security researchers for discovering security vulnerabilities in their products. It’s the biggest bounty currently on the platform, and AgileBits claims the bounty is a measure of how seriously it takes the security of 1Password users.
“We owe it to our customers to do everything in our power to keep them and their information secure. This means using the ingenuity of real people to help us continually improve the security of 1Password. It was important to us to demonstrate how seriously we take this contribution and have increased the prize to prove it,” said Jeff Shiner of AgileBits, speaking with Tom’s Hardware.
The bug bounty specifies a particular account which researchers will have to breach in order to access the bad poetry file. It’s a more focused attack than most users would ever be subjected to, but it’s a good way to stress test the 1Password platform’s overall security.
Password managers are getting more popular every day, and they’re a great way to add an extra layer of security to your digital life, but they’re only as secure as the password you use to access your password manager.
If you use your master password elsewhere, hackers could get into your password manager indirectly. Still, this bug bounty is an excellent way to test how well 1Password works as a platform, without having to compensate for user error.