Direct communication to the LastPass security team
Customers with a security concern should report it via email to firstname.lastname@example.org, where it will be escalated to the threat intelligence team.
When reporting potential issues, we ask that users please try to be as thorough as possible in providing information that will allow the LastPass team to appropriately recreate their findings. This may include exact steps to reproduce the bug, any links that were clicked on, pages that were visited, URLs, and any affected account email addresses. Please include a code sample and either images or a video recording that clearly demonstrates the exploit.
If using automated tools to find vulnerabilities, please be aware that these tools frequently report false positives.
Bug bounty program
In addition to our own direct responsible disclosure program, LastPass participates in a bug bounty program, hosted at BugCrowd, to facilitate the work that security researchers do to find and responsibly disclose qualifying security bugs. We appreciate the important work that the security research community provides and their responsible disclosure of issues.
We accept reports through BugCrowd for all our products, which includes Password Manager, SSO and MFA solutions.
Response to security concerns
Once a security concern has been submitted and received directly or via BugCrowd, our team typically follows these steps:
- Take steps to investigate the report and determine its severity.
- Contact the reporter directly to acknowledge receipt of the issue and to get more information if needed.
- If we are able to replicate the reported issue and determine that it is necessary to take action, we will fix the issue or perform a best effort at mitigation. While issues are usually fixed quickly, deploying a fix depends on the complexity, severity of the issue, and update release process.
- Once we take the appropriate steps to resolve the issue, we'll close the report.
Note: This is not permission or encouragement to gain unauthorized access to LastPass applications, download or disclose any proprietary or confidential information (including customer data), disrupt or compromise any LastPass operations or data, or violate any law.