1Password Raises Top Bug Bounty to $100,000 for 'Bad Poetry'

In a bid to help further improve the state of security in the 1Password password management system, developer AgileBits is increasing the reward it will pay security researchers for finding hidden encrypted text in a protected area of an account.


Finding bad poetry typically isn't associated with receiving a $100,000 prize, but that's what password management vendor AgileBits is now offering. The 'bad poetry' is hidden inside of code that regular users should never be able to reach. The idea is that as part of an award contest, if a security researcher can find the bad poetry, then there is a security vulnerability in the AgileBits 1Password system.

1Password had previously made a $25,000 prize award available as its top bug bounty amount and announced on March 9, the new $100,000 award. 1Password is a service operated by AgileBits and operates its bug bounty program on top of the Bugcrowd bug platform.

"We have never issued an award for the top flag," Jeffrey Goldberg, who has the somewhat unique title of Chief Defender Against the Dark Arts at AgileBits, told eWEEK.

Goldberg explained that AgileBits increased its top reward for 1Password vulnerability disclosure to motivate the security research community to put even more effort into trying to find flaws.

"Our top prize goes to anyone who can obtain and decrypt some bad poetry, in particular, a horrible haiku stored in a 1Password vault that researchers should not have access to," Goldberg said.

Jason Haddix, Head of Trust and Security at Bugcrowd, explained that the 'bad poetry' itself is an encrypted text file on a protected area of an account. He added that accessing it would be reading that text and reporting it, in order to claim the bug bounty.

"While 'bad poetry' type flags are a definitely a smaller subsection of our bounties, in the hundreds of programs we've managed over the last four years we have seen several of these 'accomplish the objective/hack' type programs," Haddix told eWEEK. "These type of programs are very similar to 1Passwords 'bad poetry' one where the end goal is a great payout."

AgileBit first joined the Bugcrowd platform in 2015 as a way to help provide monetary rewards for security disclosures. To date, Goldberg noted that most of the bugs that have been found and reported have been mostly harmless, though AgileBits has paid rewards as the issues are still important.

"Attacks on the most secure systems now-a-days tend to involve chaining together a series of seemingly harmless bugs, so we're very interested in fixing all bugs," Goldberg said.

The 1Password system was potentially recently exposed to some limited risk thanks to the Cloudbleed information disclosure incident, first publicly disclosed on Feb. 23. In that incident, SSL/TLS encryption was unintentionally leaked due to a parser flaw. Goldberg emphasized that 1Password does not depend on the secrecy of SSL/TLS for security and the security of all 1Password data remained safe and solid in the face of Cloudbleed.

"The combination of a Master Password, Secret Key and encrypted transportation of data means that three layers of protection exist for our customers," Goldberg said. "We designed 1Password so that it doesn't depend on the secrecy of HTTPS."

Looking forward, Goldberg said that Agilebits is actively encouraging deeper testing of 1Password's security systems. He added that the bugs discovered so far are encouraging in that they show just how secure 1Password's platform is.

"Everything we do at AgileBits revolves around the safety and security of our customer data—so this increase in bounty is a further step to creating a more secure 1Password for our customers," Goldberg said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.