Atlassian

  • Points – $5,000 per vulnerability
  • Safe harbor
  • Managed by Bugcrowd

Program stats

969 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

$933.76 average payout (last 3 months)

Latest hall of famers

Recently joined this program

1752 total

Tools for teams, from startup to enterprise. Atlassian provides the tools to help every team unleash their full potential.

Get Started (tl;dr version)

  • Do not access, impact, destroy or otherwise negatively impact Atlassian customers, or customer data in anyway.
  • Ensure that you use your @bugcrowdninja.com email address.
  • Bounties are awarded differently per product (see below for more details on payouts).
  • Ensure you understand the targets, scopes, exclusions, and rules in Scope & Rewards.

Focus Areas

Due to the collaborative nature of Atlassian products, we are not interested in vulnerabilities surrounding enumeration and information gathering (being able to work effectively as a team is the purpose of our products). Instead, we're more interested in traditional web application vulnerabilities, as well as other vulnerabilities that can have a direct impact to our products. Below is a list of some of the vulnerability classes that we are seeking reports for:

  • Cross Instance Data Leakage/Access**
  • Server-side Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • Stored/Reflected Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • XML External Entity Attacks (XXE)
  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
  • Path/Directory Traversal Issues

Ensure you review the out of scope and exclusions list for further details.

** Cross Instance Data Leakage/Access refers to unauthorized data access between instances.

Quick Links

Creating Your Instance

JIRA + Confluence Cloud
To access the instance and start your testing (after you've read and understood the scope and exclusions listed below, of course) you can follow the below steps:

  • Navigate to the checkout page here
  • Click "Next"
  • Complete the form, using the following format: bugbounty-test-<bugcrowd-name> Note that <bugcrowd-name> should be replaced with your own bugcrowd username
  • Click "Start now"
  • Once your instance has been completed that's it - you can test away.

Bitbucket

  1. Navigate to https://bitbucket.org/ and select "Log In"
  2. Select "Sign Up" and create an account with your @bugcrowdninja.com email address.
  3. Start testing

All Atlassian Server Products
To access the target and start your testing (after you've read and understood the scope and exclusions listed below, of course) you can follow the below steps:

  1. Navigate to www.atlassian.com
  2. Download the server version of the product you want to test,
  3. Install the product,
  4. (if required) Generate a trial license for the product,
  5. Start testing

Note: After the trial period expires you can generate another evaluation license and continue researching. Please remember to check that you are still on the latest version.

Mobile Targets

Jira Cloud Download:
iOS: Here
Android: Here

Confluence Cloud Download:
iOS: Here
Android: Here

Targets

In scope

Target name Type Tags
Jira Cloud (bugbounty-test-<bugcrowd-name>.atlassian.net) Website Testing
  • Spring
  • Website Testing
  • ReactJS
  • Redux
  • Java
Bitbucket Pipelines Website Testing
  • Website Testing
Confluence Cloud Android Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Conflience Cloud iOS iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Jira Service Desk Cloud (bugbounty-test-<bugcrowd-name>.atlassian.net) Website Testing
  • Website Testing
Jira Cloud Android Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Confluence Cloud (bugbounty-test-<bugcrowd-name>.atlassian.net/wiki) Website Testing
  • Website Testing
Bitbucket Cloud (https://bitbucket.org) Website Testing
  • Website Testing
  • Django
Jira Cloud iOS iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
SourceTree (for macOS and Windows) Website Testing
  • Website Testing
Bitbucket Pipelines (https://bitbucket.org/product/features/pipelines) Website Testing
  • Website Testing
https://admin.atlassian.com/atlassian-access Website Testing
  • Website Testing
Any associated *.atlassian.io or *.atl-paas.net domain that can be exploited DIRECTLY from the *.atlassian.net instance Other
Jira Core Server Other
  • Website Testing
  • ReactJS
  • jQuery
  • Java
  • Spring
Jira Software Server Other
  • Website Testing
  • ReactJS
  • jQuery
  • Java
  • Spring
Jira Service Desk Server Other
  • Website Testing
  • ReactJS
  • jQuery
  • Java
  • Spring
Jira Portfolio Other
  • Website Testing
  • Spring
  • ReactJS
  • Java
Confluence Server Other
  • Website Testing
  • jQuery
  • TinyMCE
  • Java
  • Spring
Bitbucket Server Other
  • Website Testing
  • Django
  • ReactJS
  • Python
Bamboo Other
  • Website Testing
  • API Testing
  • Spring
  • ReactJS
  • Java
Crowd Other
  • Website Testing
  • API Testing
  • Spring
  • Java
FishEye Other
  • Website Testing
  • Spring
  • Java
Crucible Other
  • Website Testing
  • Spring
  • Java
Sourcetree (https://www.sourcetreeapp.com/) Other
  • Desktop Application Testing
  • macOS
  • Windows
Confluence Cloud Mobile App for iOS iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Confluence Cloud Mobile App for Android Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Jira Cloud Mobile App for iOS iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Jira Cloud Mobile App for Android Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Other - (all other Atlassian targets) Other
https://play.google.com/store/apps/details?id=com.atlassian.confluence.server Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
https://apps.apple.com/us/app/confluence-server/id1288365159 iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Confluence Premium - https://www.atlassian.com/software/confluence/premium Website Testing
  • Website Testing
Confluence Server Android App Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
Confluence Server iOS App iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Jira Server iOS App iOS
  • Mobile Application Testing
  • iOS
  • Objective-C
  • Swift
  • SwiftUI
Jira Server Android App Android
  • Mobile Application Testing
  • Android
  • Java
  • Kotlin
https://id.atlassian.com/login Website Testing
  • API Testing
  • Website Testing
Confluence Companion App Other
https://marketplace.atlassian.com Website Testing
  • Website Testing

Out of scope

Target name Type
AgileCraft and any Related Assets Website Testing
Third party add-ons from the marketplace are strictly excluded (vulnerabilities that exist within third party apps in any way) - we will pass on any vulnerabilities found, however they will not be eligible for bounty. Website Testing
*.bitbucket.io Website Testing
Confluence Team Calendars (https://www.atlassian.com/software/confluence/team-calendars) Website Testing
Confluence Questions Other
Any repository that you are not an owner of - do not impact Atlassian customers in any way. Website Testing
https://blog.bitbucket.org Website Testing
Any internal or development services. Website Testing
bytebucket.org Website Testing
HipChat (inc. HipChat Data Center, HipChat Desktop, HipChat Mobile) Other
Stride (inc. Stride Video, Stride Desktop, Stride Mobile) Other

Rules, Exclusions, and Scopes

Any domain/property of Atlassian not listed in the targets section is strictly out of scope (for more information please see the out of scope and exclusions sections below). Researchers should use the "bugbounty-test-<bugcrowd-name>.atlassian.net" namespace provided in the instructions below. Please do not create additional instances outside of this namespace for testing.

All resources within your instance is in scope (see below for exclusions), this includes the all of the REST APIs and any *.atlassian.io or *.atl-paas.net service that can be exploited from an in scope product.

Out-of-Scope

Anything not declared as a target or in scope above should be considered out of scope for the purposes of this bug bounty. However to help avoid grey areas, below are examples of what is considered out of scope.

  • Enumeration or information disclosure of non-sensitive information (e.g. issue keys, project keys, commit hashes).
  • Blind XSS must not return any user data that you do not have access to (e.g. Screen shots, cookies that aren't owned by you, etc); when testing for blind XSS, please use the least invasive test possible (e.g. calling 1x1 image or nonexistent page on your webserver, etc).
  • XSSs on Server instances that require administrator privileges will be scored as P5 Informational and awarded points only, as they don't let the attacker compromise Confidentiality, Integrity or Availability any more than they already could as an administrator.
  • When testing, please exercise caution if injecting on any form that may be publicly visible - such as forums, etc. Before injection, please make sure your payload can be removed from the site. If it cannot be easily removed, please check with support@bugcrowd before performing the testing.
  • No pivoting or post exploitation attacks (i.e. using a vulnerability to find another vulnerability) are allowed on this program. DO NOT under any circumstance leverage a finding to identify further issues.
  • Any Atlassian website (e.g. www.atlassian.com) is out of scope for this bounty unless it is directly accessible from one of the targets or any associated services attached to the instance.
  • Customer cloud instances and data are explicitly out of scope.
  • Any repository that you are not an owner of - do not impact Atlassian customers in any way.
  • Any Atlassian billing system. However, specific endpoints that are used inside of a target are in scope. For example, if a REST endpoint is proven to be called from one of the targets, then that endpoint is considered to be in scope. However, all other endpoints are not considered to be in scope, as they are not called from the instance at any stage.
  • Only the latest version of a server product is eligible for a reward. All vulnerabilities/exploits must be proven to work in the latest version of the Atlassian server product.
  • Any internal or development services
  • Third party add-ons/integrations others than those listed in the targets from the marketplace are strictly excluded (vulnerabilities that exist within third-party apps in any way) - we will pass on any vulnerabilities found, however, they will not be eligible for a bounty.

The following finding types are specifically excluded from the bounty

  • The use of Automated scanners is strictly prohibited (we have these tools too - don't even think about using them)
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
    • CSRF attacks that require knowledge of the CSRF token (e.g. attacks involving a local machine).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Content Spoofing.
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass.
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled.
  • Username / email enumeration.
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security.
    • X-Frame-Options.
    • X-XSS-Protection.
    • X-Content-Type-Options.
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.
    • Content-Security-Policy-Report-Only.
    • Cache-Control and Pragma
  • HTTP/DNS cache poisoning.
  • SSL/TLS Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack.
    • SSL Forward secrecy not enabled.
    • SSL weak/insecure cipher suites.
  • No Load testing (DoS/DDoS etc) is allowed on the instance.
    • This includes application DoS as well as network DoS.
  • Self-XSS reports will not be accepted.
    • Similarly, any XSS where local access is required (i.e. User-Agent Header injection) will not be accepted. The only exception will be if you can show a working off-path MiTM attack that will allow for the XSS to trigger.
  • Vulnerabilities that are limited to unsupported browsers will not be accepted (i.e. "this exploit only works in IE6/IE7"). A list of supported browsers can be found here.
  • Known vulnerabilities in used libraries, or the reports that an Atlassian product uses an outdated third party library (e.g. jQuery, Apache HttpComponents etc) unless you can prove exploitability.
  • Missing or incorrect SPF records of any kind.
  • Missing or incorrect DMARC records of any kind.
  • Source code disclosure vulnerabilities.
  • Information disclosure of non-confidential information (e. g. issue id, project id, commit hashes).
  • The ability to upload/download viruses or malicious files to the platform.
  • Email bombing/Flooding/rate limiting
  • CSV Injection

Rules

  • You must ensure that customer data is not affected in any way as a result of your testing. Please ensure you're being non-destructive whilst testing and are only testing using accounts and instances created via the instructions under “Creating your instance” above.
  • In addition to above, customer instances are not to be accessed in any way (i.e. no customer data is accessed, customer credentials are not to be used or "verified")
    • If you believe you have found sensitive customer data (e.g., login credentials, API keys etc) or a way to access customer data (i.e. through a vulnerability) report it, but do not attempt to successfully validate if/that it works.
  • If you find Atlassian Employee login credentials, API keys etc, please report it, but do not attempt to successfully validate if/that it works.
  • Use of any automated tools/scanners is strictly prohibited and will lead to you being removed from the program (trust us, we have those tools too).
  • Reports need to be submitted in plain text (associated pictures/videos are fine as long as they're in standard formats). Non-plain text reports (e.g. PDF, DOCX) will be asked to be resubmitted in plain text.
  • Grants/awards are at the discretion of Atlassian and we withhold the right to grant, modify or deny grants. But we'll be fair about it.
  • Tax implications of any payouts are the sole responsibility of the reporter.
  • Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure.
  • Do NOT test the physical security of Atlassian offices, employees, equipment, etc.
  • This bounty follows Bugcrowd’s standard disclosure terms.
  • Any vulnerability found in a JIRA or Confluence server product is not eligible for a reward in JIRA/Confluence cloud, and vice versa (i.e. no double dipping).

Scoring

A few issue types are not scored by their CVSS scores
These are typically CVSS Medium (P3) but will be rewarded as P4 issues:

  • Open Redirect bugs, and
  • Broken Access Control or Privilege Escalation bugs, where an Administrator is able to perform System Administrator actions.

These are typically CVSS High (P2) but will be rewarded as P3 issues:

  • XSS in Server products

Reporting Credentials

If you believe you have found Atlassian employee or customer credentials please report them but do not attempt to validate them.
Credential Reports will be handled as follows:

  • Customer credential reports will be marked as P5
  • Atlassian employee credentials will have severity adjusted based on CVSS, but will only be paid out if they can access Atlassian resources (i.e. credentials not related to their work at Atlassian will receive points but will not be paid out)

Public Disclosure

Before disclosing an issue publicly we require that you first request permission from us. Atlassian will process requests for public disclosure on a per report basis. Requests to publicly disclose an issue that has not yet been fixed for customers will be rejected. Any researcher found publicly disclosing reported vulnerabilities without Atlassian's written consent will have any allocated bounty withdrawn and disqualified from the program.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.

Rewards:

Category Tier 1 Tier 2 Tier 3
P1 Up to $5,000 Up to $3,000 Up to $1,500
P2 Up to $1,800 Up to $900 Up to $900
P3 Up to $600 Up to $300 Up to $300
P4 Up to $200 Up to $100 Up to $100

Any finding that is not listed in the above tiers can still be reported via this program. These reports will be rewarded as kudos only reports - any payout is at the discretion of the Atlassian Security Team.

Note: Atlassian uses CVSS to consistently score security vulnerabilities. Where discrepancies between the VRT and CVSS score exist, Atlassian will defer to the CVSS score to determine the priority.

Applications Eligible for Tier 1 Rewards (See 'Rewards' Section)

  • Jira Cloud (including Jira Ops, Jira Software and Jira Core)
  • Jira Service Desk Cloud
  • Confluence Cloud
  • Bitbucket Cloud (bitbucket.org)
  • Jira Server (Software and Core)
  • Jira Service Desk Server
  • Confluence Server
  • Bitbucket Server
  • Crowd

Applications Eligible for Tier 2 Rewards (See 'Rewards' Section)

  • Bitbucket Pipelines
  • Crucible
  • FishEye
  • Bamboo
  • Admin Hub (https://admin.atlassian.com/atlassian-access)
  • Atlassian Developer (https://developer.atlassian.com)
  • Any associated *.atlassian.io or *.atl-paas.net domain that can be exploited DIRECTLY from your *.atlassian.net instance

Applications Eligible for Tier 3 Rewards (See 'Rewards' Section)

  • Confluence Cloud Mobile Apps (for iOS and Android)
  • Jira Cloud Mobile Apps (for iOS and Android)
  • Jira Portfolio
  • Confluence Team Calendars
  • Confluence Companion App
  • Confluence Questions
  • SourceTree (for macOS and Windows)

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.