Atlassian

  • $200 – $10,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 2129
  • Validation within 5 days 75% of submissions are accepted or rejected within 5 days
  • Average payout $2,215.44 within the last 3 months

Latest hall of famers

Recently joined this program

3015 total

Bonus Rewards!!

We are pleased to announce Atlassian is now offering bonuses (5x) for eligible Confluence Data Center (DC) submissions.

The bonus is live as of November 06, 2023 and will end on November 17 December 1, 2023 at 11:59 PM PST.

UPDATE: We are extending this bonus until December 1, 2023 at 11:59 PM PST.

To qualify for bonus rewards, the submissions must fit the following criteria:

  • Confluence DC (LTS 7.19.16, LTS 8.5.3, or the current latest version 8.6.1)
  • Rated CVSS (v3) 9.0+
  • Submitted on or before November 17 December 1, 2023 at 11:59 PM PST

Below are the bonus details:

Target Previous Reward Range New Reward Range
Confluence Data Center $6,000 $30,000

Note, bonuses are subject to change. If you have any questions, please reach out to support@bugcrowd.com.


Tools for teams, from startup to enterprise. Atlassian provides the tools to help every team unleash their full potential.

Get Started (tl;dr version)

  • Do not access, impact, destroy or otherwise negatively impact Atlassian customers, or customer data in anyway.
  • Ensure that you use your @bugcrowdninja.com email address.
  • Bounties are awarded differently per product (see below for more details on payouts).
  • Ensure you understand the targets, scopes, exclusions, and rules in Scope & Rewards.

Focus Areas

Due to the collaborative nature of Atlassian products, we are not interested in vulnerabilities surrounding enumeration and information gathering (being able to work effectively as a team is the purpose of our products). Instead, we're more interested in traditional web application vulnerabilities, as well as other vulnerabilities that can have a direct impact to our products. Below is a list of some of the vulnerability classes that we are seeking reports for:

  • Cross Instance Data Leakage/Access**
  • Server-side Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • Stored/Reflected Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • XML External Entity Attacks (XXE)
  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
  • Path/Directory Traversal Issues

Ensure you review the out of scope and exclusions list for further details.

** Cross Instance Data Leakage/Access refers to unauthorized data access between instances.

Quick Links

Creating Your Instance

Jira + Confluence Cloud
To access the instance and start your testing (after you've read and understood the scope and exclusions listed below, of course) you can follow the below steps:

  • Navigate to this page here
  • Complete the verification flow
  • When it is time to rename your instance, using the following format: bugbounty-test-<bugcrowd-name> Note that <bugcrowd-name> should be replaced with your own bugcrowd username
  • Click "Agree"
  • Once your instance has been completed that's it - you can test away.

Compass

  1. Navigate to https://www.atlassian.com/software/compass
  2. Click "Get it free today"
  3. Sign up with your @bugcrowdninja.com email address
  4. Start testing!

Bitbucket

  1. Navigate to https://bitbucket.org/ and select "Log In"
  2. Select "Sign Up" and create an account with your @bugcrowdninja.com email address.
  3. Start testing!

All Atlassian Server Products
To access the target and start your testing (after you've read and understood the scope and exclusions listed below, of course) you can follow the below steps:

  1. Navigate to www.atlassian.com
  2. Download the server version of the product you want to test,
  3. Install the product,
  4. (if required) Generate a trial license for the product,
  5. Start testing

Note: After the trial period expires you can generate another evaluation license and continue researching. Please remember to check that you are still on the latest version.

Disclosure Request Guidance

Submissions that meet the following requirements will be considered for disclosure upon request:

  • The submission has been accepted
  • The reported vulnerability has been fixed and released in production
  • The submission does not regard a customer instance or a customer’s account

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.