[{"id":3746250,"new_policy":"AgileBits/1Password introduced a $1 million CTF bug bounty challenge in 2022 to further our commitment to providing an industry-leading security platform for individuals, families, and businesses.\n\n# Other Security Research Opportunities\n==**This program is strictly dedicated to our $1 million CTF.**== If you’re interested in conducting general security research against all areas of the 1Password product, check out our main bug bounty program here: [hackerone.com/1password](https://hackerone.com/1password)\n\n==**Submissions to this program should only be related to capturing the flag.**==\n\n# Get started\nThis version of Capture the Flag is unique. There are no known vulnerabilities that will award you access to the flag; there’s no starting point, nor a guaranteed reward.\n\n**The target (flag):** Bad poetry in the form of secure note.\n**The location**: A dedicated Bug Bounty CTF account (**[bugbounty-ctf.1password.com](https://bugbounty-ctf.1password.com)**). \n\nSend an email to [bugbounty@agilebits.com](mailto:bugbounty@agilebits.com) and include your HackerOne username. You'll receive access to the Bug Bounty CTF account that contains more information. ==**Note: If you were a researcher from our previous bug bounty platform**==, you do ***not*** need to resubmit for a new user, you can continue to use your existing user on the dedicated Bug Bounty CTF account.\n\n==**You should only be submitting to the program if you believe you have captured the flag**== or are close to capturing the flag. Only valid submissions that detail the steps used to capture the flag are eligible to earn the **$1 million reward**. ==**All other submissions will be marked as \"Not Applicable\" and the researcher will lose points.**==\n\n# Disclosure Policy\n* Please do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.\n* Follow HackerOne's [disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).\n\n# Get help\nStart with the  [1Password Security Design White Paper](http://1pw.ca/whitepaper), and pay particular attention to the section titled Beware of the Leopard (page 68). It explains the decisions and considerations behind the 1Password security design. We’ve also **[created a tool](https://github.com/1Password/burp-1password-session-analyzer)** to help you investigate [1Password.com](http://1Password.com) requests and responses with your own session key.\n\n- We don’t accept or permit phishing, malware, or compromising 1Password member accounts.\n- For information about the internal API, general questions, and to submit *partial* reports and theories, please send an email to **[bugbounty@agilebits.com](mailto:bugbounty@agilebits.com)** so we can collaborate, provide support, and offer appropriate guidance.\n- We’re happy to answer general questions via email but won’t provide direct assistance to capture the flag.\n- Assistance isn’t guaranteed for complex and/or time-consuming requests.\n- Access to the Bug Bounty CTF account is intentionally limited to the scope of the CTF competition. We recommend using a different account for general bug bounty program research.\n","has_open_scope":null,"pays_within_one_month":null,"protected_by_gold_standard_safe_harbor":null,"protected_by_ai_safe_harbor":null,"disclosure_declaration":null,"introduction":null,"platform_standards_exclusions":[],"exemplary_standards_exclusions":[],"scope_exclusions":[],"timestamp":"2024-12-09T17:10:12.074Z"}]