Did you miss a session on the Information Summit? Watch On-Demand Right here.
At this time, 1Password introduced that it has elevated its prime bug bounty reward to $1 million, after 800 makes an attempt by researchers didn’t seaside the platform for a bounty of $100,000. This implies the group now has the most important monetary incentive program for moral hackers.
After posting the bounty, 1Password goals to collect enter from hundreds of exterior safety specialists and white hat hackers who will try to breach its platform. In the event that they’re profitable they’ll win the bounty, and 1Password will discover vulnerabilities that potential attackers may exploit or bugs that influence the consumer expertise.
For enterprises, 1Password’s bounty has the potential to spotlight it’s options safety as a password supervisor and safe digital pockets, that even hundreds of safety researchers can’t crack.
Thus far this system has been profitable in illustrating the success of its platform, as whereas 1Password has paid out $103,000 to Bugcrowd researchers (a mean of $900 per reward since 2017) researchers have solely found minor bugs.
A brand new strategy to software program safety
1PassWord’s elevated funding in its bounty reward program comes at a time when organizations have gotten more and more distrusting of third social gathering software program purposes amid the rise of software supply chain attacks, which rose by 300% in 2021.
One of the crucial high-profile incidents occurred when hackers breached SolarWinds’ safety platform and added malicious code they supposed to deploy to 18,000 downstream clients (though the precise variety of clients hacked was lower than 100).
Whereas the size of the SolarWinds assault was uncommon, attackers are regularly concentrating on software program code to search out vulnerabilities they’ll use to entry the information of a provider’s clients or shoppers.
In reality, research exhibits that attackers deal with provider’s code in 66% of reported provide chain assaults. That is placing strain on organizations to ve and validate third-party code to make sure that it’s not open to exterior risk actors.
1Password’s reply to those safety issues and the rising mistrust in third social gathering platforms is to incentivise third events to attempt to compromise it’s platform, to reveal its safety pedigree in opposition to a military of exterior researchers.
“Since 1Password’s inception, we’ve inspired everybody to achieve out to us with strategies round how we may enhance 1Password safety. Although our crew works arduous each day to design and construct essentially the most safe password supervisor right here is, that doesn’t imply we don’t have blind spots. That’s why we’ve labored with Bugcrowd since 2017 to have the ability to reward researchers who level us in direction of something we would have missed,” mentioned Director of Safety for 1Password, Adam Caudill.
This exterior testing strategy is one which many software program suppliers may incorporate to “battle-test” their platforms, and acquire the belief of shoppers by exhibiting that their safety measures can preserve out extremely motivated and expert attackers.
The password safety market
1Password is a part of the global password management market, which was valued a $1,246.9 million in 2020 and is anticipated to achieve $3,071 million by 2026 because the rising variety of Web and cell gadgets, and on-line providers will increase the quantity of consumer profiles will increase the variety of accounts consumer’s have to safe.
The group is competing in opposition to many different password administration suppliers together with LastPass, which gives customers single-sign-on and multi-factor authentication (MFA) whereas providing darkish net monitoring to detect if credentials are leaked on-line.
The group achieved $200 million in annual recurring revenue and have become an unbiased firm final 12 months.
One other competitor is Keeper Security with Keeper Limitless, a free, enterprise-grade password administration resolution.
The software allows customers to take away credentials from supply code, automate credential administration, safe information with zero-knowledge encryption and scan the darkish net for leaked passwords, and is one among Keeper Security’s key merchandise following its $60 million funding spherical in 2020.
As extra password managers exhibit more and more numerous characteristic units, 1Password’s bug bounty strategy helps to distinguish itself by utilizing exterior testers to reveal that its resolution can stand as much as the onslaught of subtle fashionable assaults.
