Passwd bug bounty program

Go to bug report form

For ethical hackers!

Are you  looking for a challenge? We are seeking skilled individuals to attempt to breach our team password manager, Passwd. If you successfully break into our system and discover vulnerabilities, we’ll pay you for your efforts.

Our team at Passwd takes security seriously, and we believe that finding and fixing potential security issues is essential for maintaining a secure system. That’s why we’re offering a bug bounty program for anyone who can successfully breach our password manager.

Here’s what you need to know:

  • Passwd is a team password manager integrated to the Google Workspace used by teams to securely store, manage and share their passwords within a team.
  • Our bug bounty program is open to anyone who wants to participate, regardless of their location or experience level.
  • The reward for successful discovery of a vulnerability depends on the severity of the vulnerability and is divided into the P1, P2, P3, P4 levels according to https://bugcrowd.com/vulnerability-rating-taxonomy:

Level P5 and other bugs not listed: [$0] – not rewarded

P4: [$100]

Examples: Reflected XSS, stored XSS, SQL injection, Broken authentication and session management.

P3: [$400]

Examples: Remote code execution, Insecure direct object references, arbitrary file uploads.

P2: [$800]

Examples: Remote code execution with system privilege, Authentication bypass leading to complete system compromise.

P1: [$1500+]

Examples: Remote code execution with root privilege, Physical access to critical data, Breaches leading to loss of data that can’t be restored.

Note: We will only pay for successful attempts. The reward amount for each level is a starting point, and we reserve the right to adjust the reward based on the severity and impact of the vulnerability.

  • In addition to the reward, successful participants will be recognized in our hall of fame as a thank you for their contribution to the security of our system.
  • In order to qualify for the bug bounty, you must report any vulnerability you discover to us in a responsible manner, and provide us with enough details to reproduce and fix the issue.
  • You must also agree not to disclose any vulnerability you discover to anyone else until we have had a reasonable opportunity to fix the issue.

By participating in our bug bounty program, you’ll have a chance to earn money for your efforts, as well as recognition for your contribution to the security of our app. Our users rely on Passwd to securely store and manage their passwords, and we want to ensure that their information is always protected.

So, if you’re up for the challenge and want to help us improve the security of our password manager, we’d love to hear from you. To participate in our bug bounty program, please follow these instructions.

Products in-scope

Consider all your actions within these rules against these products as legal.

High focus areas:

  • Authentication bypass
  • Device approval bypass
  • Cross-site request forgery
  • Cross-site scripting (XSS)
  • Privilege escalation
  • Information disclosure
  • Remote code execution

Thank you for your interest in helping us keep our Passwd secure!

Why is bug bounty so important for our users

Our bug bounty program is an essential part of our commitment to security and our users. By engaging with ethical hackers and incentivizing them to find vulnerabilities in our Passwd password manager, we can discover and fix potential security issues before they can be exploited by malicious actors. This helps us maintain a high level of security for our users’ sensitive data and ensures that Passwd is always up to date with the latest security standards. By participating in our bug bounty program, you’ll be making a significant contribution to the overall security of our system, which in turn helps us to provide the best possible service to our users.

Go to bug report form