Were you unable to attend Transform 2022? Check out all of the summit sessions in our on-demand library now! Watch here.
Today, 1Password announced that it has increased its top bug bounty reward to $1 million, after 800 attempts by researchers failed to beach the platform for a bounty of $100,000. This means the organization now has the largest financial incentive program for ethical hackers.
After posting the bounty, 1Password aims to gather input from thousands of external security experts and white hat hackers who will attempt to breach its platform. If they’re successful they’ll win the bounty, and 1Password will find vulnerabilities that potential attackers could exploit or bugs that impact the user experience.
For enterprises, 1Password’s bounty has the potential to highlight it’s solutions security as a password manager and secure digital wallet, that even thousands of security researchers can’t crack.
So far the program has been successful in illustrating the success of its platform, as while 1Password has paid out $103,000 to Bugcrowd researchers (an average of $900 per reward since 2017) researchers have only discovered minor bugs.
MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.
A new approach to software security
1PassWord’s increased investment in its bounty reward program comes at a time when organizations are becoming increasingly distrusting of third party software applications amid the rise of software supply chain attacks, which rose by 300% in 2021.
One of the most high-profile incidents occurred when hackers breached SolarWinds’ security platform and added malicious code they intended to deploy to 18,000 downstream customers (although the actual number of customers hacked was less than 100).
While the scale of the SolarWinds attack was unusual, attackers are continually targeting software code to find vulnerabilities they can use to access the data of a supplier’s customers or clients.
In fact, research shows that attackers focus on supplier’s code in 66% of reported supply chain attacks. This is putting pressure on organizations to ve and validate third-party code to ensure that it’s not open to external threat actors.
1Password’s answer to these security concerns and the growing distrust in third party platforms is to incentivise third parties to try and compromise it’s platform, to demonstrate its security pedigree against an army of external researchers.
“Since 1Password’s inception, we’ve encouraged everyone to reach out to us with suggestions around how we could improve 1Password security. Though our team works hard every day to design and build the most secure password manager here is, that doesn’t mean we don’t have blind spots. That’s why we’ve worked with Bugcrowd since 2017 to be able to reward researchers who point us towards anything we might have missed,” said Director of Security for 1Password, Adam Caudill.
This external testing approach is one that many software providers could incorporate to “battle-test” their platforms, and gain the trust of customers by showing that their security measures can keep out highly motivated and skilled attackers.
The password security market
1Password is part of the global password management market, which was valued a $1,246.9 million in 2020 and is expected to reach $3,071 million by 2026 as the growing number of Internet and mobile devices, and online services increases the amount of user profiles increases the number of accounts user’s need to secure.
The organization is competing against many other password management providers including LastPass, which offers users single-sign-on and multi-factor authentication (MFA) while offering dark web monitoring to detect if credentials are leaked online.
The organization achieved $200 million in annual recurring revenue and became an independent company last year.
Another competitor is Keeper Security with Keeper Unlimited, a free, enterprise-grade password management solution.
The tool enables users to remove credentials from source code, automate credential management, secure files with zero-knowledge encryption and scan the dark web for leaked passwords, and is one of Keeper Security’s key products following its $60 million funding round in 2020.
As more password managers show off increasingly diverse feature sets, 1Password’s bug bounty approach is helping to differentiate itself by using external testers to demonstrate that its solution can stand up to the onslaught of sophisticated modern attacks.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.