Security has always been central to what we do at LastPass. But we're never done with security; we're constantly tweaking, improving, and seeking new ways to protect against emerging threats.
To make those improvements, we contract reputable third-party firms to analyze and test our product. We also rely on our users and the broader white hat security community to challenge our technology with responsible disclosure.
Responsible disclosure entails notifying the LastPass team of bugs or vulnerabilities, allowing us adequate time to test and fix the reported problems, and avoiding publishing any information about the report until we've resolved the issues.
No matter how our community reports an issue to us, our procedures ensure we address them urgently and efficiently when bugs and vulnerabilities arise.
Maintaining Responsible Disclosure
Our security process includes the following:
- Direct communication to the LastPass team via the <securitydisclosure@lastpass.com> email address so that issues can be escalated to our threat intelligence team immediately. When reporting potential issues, the more information provided, the better our team can address the security concern (including links, URLs, and account addresses).
- A bug bounty program (hosted at BugCrowd) that recognizes and incentivizes the critical work that security researchers do in responsibly disclosing issues. We accept reports for all our products, including our password manager, single sign-on, and multi-factor authentication.
- Reporting suspicious emails if you think you’ve received a suspicious email or need to clarify its legitimacy. Please forward any questionable emails to <abuse@lastpass.com> and our team will notify you as to whether the message is legitimate or not.
- Penetration tests and audits with reputable third-party firms that stress-test our architecture and security team processes.
- Industry certifications that show LastPass has met strict standards and requirements from an infrastructure and product architecture perspective, like ISO 27001, SOC2 Type II, SOC3, BSI C5, TRUSTe, and more.
- A technical whitepaper that offers a comprehensive overview of our security architecture, including LastPass’s zero-knowledge encryption model, single sign-on security, and federated login services.
Pen tests, audits, and certifications show our proactive approach to security. On the other hand, the bug bounty program and security report process show how we react to issues. Our product is more robust when we can both anticipate potential issues and have a reliable, time-sensitive process for reacting to problems when they arise.
LastPass Trust Center
Our security report and responsible disclosure processes are critical to the four pillars of the LastPass Trust Center - Security, Privacy, Compliance, and Transparency. With the Trust Center, we seek to meet our customers' security needs and set a new benchmark for how companies should communicate and build trust with their users. With proactive measures in place and vetted processes for reacting to urgent reports via responsible disclosure, we can build trust through open communication with the LastPass community.
Learn more about by visiting the LastPass Trust Center.