Under the Hood of the LastPass Bug Bounty Program

By September 13, 2017 Security News No Comments

It takes a village. This proverb traditionally refers to raising children but, today, it applies equally well to online security. At LastPass, our number one goal is keeping our users safe. We believe in being proactive in today’s age of ever-changing security threats.

To keep you safe, we design security into the core of how we build LastPass, we employ and train talented engineers, and we use modern standards, practices and tools. We constantly strive to keep abreast with the latest security threats. However, like editing ones’ own writing, relying solely on our own ability to assess and improve our own security readiness can leave gaps. We will always have assumptions and biases that shape our model. To expose possible blind spots and ensure we maintain the absolute highest level of security, we routinely work with external companies and security researchers.

Highly talented members of the LastPass community are a critical component of our security model. We enlist the help of this larger village primarily through our bug bounty program. We encourage trusted researchers to look for issues and submit them responsibly to us. When valid issues are found, we offer rewards commensurate with the severity of the issue.

Why would we pay people to try to hack our systems? The reality is that someone is always trying to hack your systems. With a public, security company like LastPass, this is especially true. To combat the malicious hackers of the world, we support – and are indebted to – the white-hat researchers. Their philosophy is that we all benefit when we collectively challenge technology and service providers to provide the highest levels of security.

Bug bounty programs are the new pen test for these researchers. These days, for a company to be considered security-conscious, they need to have a bug bounty program. However, just having a bug bounty program is not enough to improve your security. The real benefit of a bug bounty program is in how effectively you triage and resolve valid submissions. At LastPass, we have integrated our bug bounty submissions directly into our agile development process. Submissions are directly inserted into our tracking system, alongside internal support incidents, and made visible in each teams’ daily sprint work.

To further ensure we never allow new feature development to hinder our visibility and response time, the engineering team has created the role of Security Sheriff. This role rotates weekly through our engineering team and is responsible for ensuring the rapid triage and response to all submissions. If submissions require a fix, the Sheriff ensures the fix moves quickly and effectively through the development cycle and to our users.

Security is our number one priority at LastPass. We fundamentally believe that harnessing our large community of security-conscious individuals, through a well-designed bug bounty program, makes our product better. We will constantly evolve the way we work internally, and with our wider talented community, to make security effortless for users.

Jason Luce is the VP of Engineering at LogMeIn, leading all development efforts for LastPass.  Jason began his career in the consulting industry where he developed his love for building innovative technology solutions to deliver great products. Prior to this role, Jason worked at Monster Worldwide for ten years and, most recently, was SVP, Product & Engineering at Scout Exchange, a Boston-based HR Tech startup. Follow Jason on twitter:@jasonluce