Tools for teams, from startup to enterprise. Atlassian provides the tools to help every team unleash their full potential.
Get Started (tl;dr version)
- Do not access, impact, destroy or otherwise negatively impact Atlassian customers, or customer data in anyway.
- Ensure that you use your @bugcrowdninja.com email address.
- Bounties are awarded differently per product (see below for more details on payouts).
- Ensure you understand the targets, scopes, exclusions, and rules in Scope & Rewards.
Due to the collaborative nature of Atlassian products, we are not interested in vulnerabilities surrounding enumeration and information gathering (being able to work effectively as a team is the purpose of our products). Instead, we're more interested in traditional web application vulnerabilities, as well as other vulnerabilities that can have a direct impact to our products. Below is a list of some of the vulnerability classes that we are seeking reports for:
- Cross Instance Data Leakage/Access**
- Server-side Remote Code Execution (RCE)
- Server-Side Request Forgery (SSRF)
- Stored/Reflected Cross-site Scripting (XSS)
- Cross-site Request Forgery (CSRF)
- SQL Injection (SQLi)
- XML External Entity Attacks (XXE)
- Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
- Path/Directory Traversal Issues
Ensure you review the out of scope and exclusions list for further details.
** Cross Instance Data Leakage/Access refers to unauthorized data access between instances.
Jira and Confluence:
- Use the following naming convention: bugbounty-test-<bugcrowd-name>.atlassian.net
- We only accept vulnerabilities affecting the latest version of the product you are testing
- Mobile Targets:
Creating Your Instance
Jira + Confluence Cloud
To access the instance and start your testing (after you've read and understood the scope and exclusions listed below, of course) you can follow the below steps:
- Navigate to the checkout page here
- Click "Next"
- Complete the form, using the following format: bugbounty-test-<bugcrowd-name> Note that <bugcrowd-name> should be replaced with your own bugcrowd username
- Click "Start now"
- Once your instance has been completed that's it - you can test away.
- Navigate to https://www.atlassian.com/software/compass
- Provide your @bugcrowdninja.com email address
- We will send you a survey
- In the survey, note that you are a bugcrowd security researcher
- Wait for another email to get access and start testing
- Navigate to https://bitbucket.org/ and select "Log In"
- Select "Sign Up" and create an account with your @bugcrowdninja.com email address.
- Start testing
All Atlassian Server Products
To access the target and start your testing (after you've read and understood the scope and exclusions listed below, of course) you can follow the below steps:
- Navigate to www.atlassian.com
- Download the server version of the product you want to test,
- Install the product,
- (if required) Generate a trial license for the product,
- Start testing
Note: After the trial period expires you can generate another evaluation license and continue researching. Please remember to check that you are still on the latest version.
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email firstname.lastname@example.org. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.