Xmarks Security Response

We Value Your Concerns


Our business is keeping customer information both private and secure.

We appreciate all security concerns brought forth and are constantly striving to keep on top of the latest threats. Being pro-active rather than re-active to emerging security issues is a fundamental belief at Xmarks. Every day new security issues and attack vectors are created. Xmarks strives to keep abreast on the latest state-of-the-art security developments by working with security researchers and companies. We also work with highly talented members of the Xmarks community who offer their expertise to help improve the product for everyone.

If you have discovered a potential security issue with any of our products, we kindly ask you to let us know as soon as possible.

How To Report Security Issues

When reporting potential issues, please try to be as thorough as possible providing us enough information so that we can recreate your findings.

Identify The Type of Your Security Concern
We have two types of security reports. Both types will be answered promptly, but it is important that you select the right one in order to receive a timely answer to your issue.

If your security issue affects only your account or yourself, then it is classified as a 'Locally Impacting Security Concern'.

If, on the other hand, your security issue can impact all or many Xmarks users, then it is classified as a 'Broadly Impacting Security Concern'.

Reporting Locally Impacting Security Concerns
Submit a new support ticket.

Be sure to select 'I Want To: Report a security issue'.
We'll respond back to you within the support ticket unless the issue is of a sensitive or urgent nature, in which case we'll email you directly.
Please give us 48-72 hours to review your issue in depth.

Reporting Broadly Impacting Security Concerns
Email us directly at security@lastpass.com
If the information is sensitive, please encrypt it accordingly.

We'll analyze the information you send and if we feel it's genuine we'll respond back to you directly within a few hours.
If you don't hear back from us within 24 hours, and didn't receive a non-delivery-notification for your sent email, then it's likely that we don't have enough information to deem whether you have found a legitimate exploit. Please try resubmitting your findings but make sure you include a code sample and screencast that clearly demonstrates the exploit you have found. If you are using automated tools to find vulnerabilities, please be aware that these tools always report false positives. Most times, it's insufficient to simply find the vulnerability and point us to an FAQ on the subject: you should show us how it can be used to impact user data or our systems. As an example, if you find a clickjacking vulnerability please clearly show us what end user sensitive action the end user can be tricked into performing.

What Happens After I Submit a Security Concern?

Once you have submitted a security concern, here's what we promise to do on our end:

  1. We'll immediately take steps to identify if the concern is a legitimate issue and determine its severity.
  2. If we require more information, we'll contact you directly. Otherwise, we'll try to fix the issue potentially with your assistance. While fixing the issue will generally be completely in short order, deploying the fix to affected customers will be done based on the issue's severity.
  3. Once the issue is fully resolved to both your and our satisfaction, we'll thank you for your discovery.


Click here to view a list of security researchers and companies that have contacted us directly to work with us to fix security flaws safely.