1Password, a password management software vendor, revealed that it will pay up to $1 million to researchers who can extract secrets from its vault.
The highest reward is part of the company’s bug bounty program, which has been running for years on Bugcrowd.
The top reward granted through the bug bounty program has been $100,000 since 2017. Despite hundreds of attempts, however, no researcher has claimed it so far.
1Password has paid out $103,000 in bug bounty rewards to participating researchers over the last four years. Bugcrowd has paid out a total of 115 rewards so far, with an average of $900 per reward, but only for minor vulnerabilities.
More researchers are likely to join the bug bounty program as a result of the newly announced $1 million reward, which will help 1Password improve the security of its products.
Researchers who want to win the $1 million reward must hack into a white box testing account and obtain a flag — a note with bad poetry.
The company said “There are no known vulnerabilities that will award you access to the bad poetry; there is no starting point, and it’s not a game with a guaranteed reward. Phishing, malware, and anything that involves tricking or compromising a 1Password member’s account are not allowed,”
The company will answer general questions about its bug bounty program and will also provide an special tool to help researchers investigate 1Password.com requests and responses, but it will not provide direct assistance in capturing the flag.
Google, Apple, and numerous cryptocurrency companies have also offered bug bounties of $1 million or more.