Atlassian

  • $200 – $10,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 2243
  • Validation within 10 days 75% of submissions are accepted or rejected within 10 days
  • Average payout $955.88 within the last 3 months

Latest hall of famers

Recently joined this program

Tools for teams, from startup to enterprise. Atlassian provides the tools to help every team unleash their full potential.

Get Started (tl;dr version)

  • Do not access, impact, destroy or otherwise negatively impact Atlassian customers, or customer data in anyway.
  • Ensure that you use your @bugcrowdninja.com email address.
  • Bounties are awarded differently per product (see below for more details on payouts).
  • Ensure you understand the targets, scopes, exclusions, and rules in Scope & Rewards.

Focus Areas

Due to the collaborative nature of Atlassian products, we are not interested in vulnerabilities surrounding enumeration and information gathering (being able to work effectively as a team is the purpose of our products). Instead, we're more interested in traditional web application vulnerabilities, as well as other vulnerabilities that can have a direct impact to our products. Below is a list of some of the vulnerability classes that we are seeking reports for:

  • Cross Instance Data Leakage/Access**
  • Server-side Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • Stored/Reflected Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • XML External Entity Attacks (XXE)
  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
  • Path/Directory Traversal Issues

Ensure you review the out of scope and exclusions list for further details.

** Cross Instance Data Leakage/Access refers to unauthorized data access between instances.

Product Quick Links

Creating Your Instance

Jira + Confluence Cloud
To access the instance and start your testing (after you've read and understood the scope and exclusions listed below, of course) you can follow the below steps:

  • Navigate to this page here
  • Complete the verification flow
  • When it is time to rename your instance, using the following format: bugbounty-test-<bugcrowd-name> Note that <bugcrowd-name> should be replaced with your own bugcrowd username
  • Click "Agree"
  • Once your instance has been completed that's it - you can test away!

Additional Cloud Products

  1. Once your cloud instance is set up, you can add additional products via Atlassian Administration
  2. Go to the "Products" tab
  3. Click on "Add product"
  4. Select the cloud products you would like to add (e.g Jira Product Discovery, Jira Service Management, Jira Work Management, Statuspage)

Bitbucket Cloud

  1. Navigate to https://bitbucket.org/ and select "Log In"
  2. Select "Sign Up" and create an account with your @bugcrowdninja.com email address.
  3. Start testing!

All Atlassian Data Center Products
To access the target and start your testing (after you've read and understood the scope and exclusions listed below, of course) you can follow the steps below:

  1. Navigate to Data Center product link above
  2. Download the latest version of the product you want to test
  3. Install the product
  4. (if required) Generate a trial license for the product at my.atlassian.com
  5. Start testing

To spin up a local Docker instance follow the steps located at:

Note: After the trial period expires you can generate another evaluation license and continue researching. Please remember to check that you are still on the latest version.

Disclosure Request Guidance

Submissions that meet the following requirements will be considered for disclosure upon request:

  • The submission has been accepted
  • The reported vulnerability has been fixed and released in production
  • The submission does not regard a customer instance or a customer’s account

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.