Trust Center

Transparency

Maintaining Responsible Disclosure

We believe that we all benefit when the security process works as designed. It’s why we built LastPass’ security strategy around rapid response to reports of bugs or vulnerabilities. In addition to undergoing rigorous, ongoing internal reviews, we also look to the LastPass community to challenge our technology, offering users various ways they can contribute their input.

illustration_direct-communication-svg

Direct communication to the LastPass security team

Customers with a security concern should report it via email to securitydisclosure@lastpass.com, where it will be escalated to the threat intelligence team.

When reporting potential issues, we ask that users please try to be as thorough as possible in providing information that will allow the LastPass team to appropriately recreate their findings. This may include exact steps to reproduce the bug, any links that were clicked on, pages that were visited, URLs, and any affected account email addresses. Please include a code sample and either images or a video recording that clearly demonstrates the exploit.

If using automated tools to find vulnerabilities, please be aware that these tools frequently report false positives.


Report suspicious emails

Did you receive a suspicious email? Do you need to report it to clarify its legitimacy?

Please forward any questionable emails to abuse@lastpass.com. Our team will take appropriate action from there; we will notify you as to whether the email is legitimate.


illustration_bugcrowd

Bug bounty program

In addition to our own direct responsible disclosure program, LastPass participates in a bug bounty program, hosted at BugCrowd, to facilitate the work that security researchers do to find and responsibly disclose qualifying security bugs. We appreciate the important work that the security research community provides and their responsible disclosure of issues.

We accept reports through BugCrowd for all our products, which includes Password Manager, SSO and MFA solutions.

View program details


illustration_bugcrowd

Response to security concerns

Once a security concern has been submitted and received directly or via BugCrowd, our team typically follows these steps:

  1. Take steps to investigate the report and determine its severity.
  2. Contact the reporter directly to acknowledge receipt of the issue and to get more information if needed.
  3. If we are able to replicate the reported issue and determine that it is necessary to take action, we will fix the issue or perform a best effort at mitigation. While issues are usually fixed quickly, deploying a fix depends on the complexity, severity of the issue, and update release process.
  4. Once we take the appropriate steps to resolve the issue, we'll close the report.

Note: This is not permission or encouragement to gain unauthorized access to LastPass applications, download or disclose any proprietary or confidential information (including customer data), disrupt or compromise any LastPass operations or data, or violate any law.

icon-s-light_illustrative_trust-center-svg

Trust Center

Your single source for the latest security, privacy, compliance, and system performance information.

Visit Trust Center

Technical white paper

Read about how we built the LastPass service to ensure that your data is protected and private.

Read the white paper

LastPass encryption model

Your data is kept secret, even from us. Learn how LastPass protects your data with a local-only encryption model.

Learn about encryption
icon-s-light_illustrative_security-shield-svg

Security

Safeguarding your data is what we do, with proactive security and reliability as cornerstones of our mission.

Learn more about security

Stringent security meets global compliance. You get that and more with LastPass.

Free 14-day LastPass Business trial. No credit card required.