Commitment to Security
Security is our highest priority at LastPass, including quickly responding to and fixing reports of material bugs or vulnerabilities. LastPass is in part able to achieve a high level of security for our users by looking to our community to challenge our technology. We appreciate the important work that the security research community provides and appreciate responsible disclosure of issues. Further, we believe that when the security process works as designed, we all benefit.
Note: If you are a LastPass user and you're concerned that your account has been hacked, compromised, or is otherwise at risk, please contact the LastPass support team. We will review and escalate your issue appropriately.
Submitting a Security Report
If you're a security researcher and believe you have found a security bug or vulnerability with LastPass, please follow these steps:
- Read the LastPass Security FAQs to make sure your concern hasn't already been addressed.
- Submit your report via our BugCrowd bug bounty program to report issues.
- Include a code sample and screencast demonstrating the exploit whenever possible.
- Clearly show how the bug or vulnerability impacts user data or LastPass systems.
- Allow us sufficient time to review and respond to your report, and coordinate with us for review and approval before any public posting of your findings.
- Refrain from accessing, modifying, or stealing user data, as well as disrupting the availability of LastPass (including a DDoS attack).
When reporting potential issues, please provide us enough information to recreate your findings. Information may include exact steps to reproduce the bug, any links you clicked on, pages you visited, URLs, and any affected account email addresses. Please include a code sample and either images or a video recording that clearly demonstrates the suspected exploit you have found.
To encrypt sensitive information, you can use this public key:
display public key
Note: If you are using automated tools to find vulnerabilities, please be aware that these tools frequently report false positives.
Responding to Reports
Once we receive a report, we will take steps to investigate the report and determine its severity. If we attempt to fix the identified issue, contingent on its severity, we may contact you for additional information. We will deploy necessary fixes to affected users based on the issue's severity and potential impact. We will close the report once an is resolved or otherwise determined to be closed.