We are pleased to announce Atlassian is now offering bonuses (5x) for eligible Confluence Data Center (DC) submissions.
The bonus is live as of November 06, 2023 and will end on
November 17 December 1, 2023 at 11:59 PM PST.
UPDATE: We are extending this bonus until December 1, 2023 at 11:59 PM PST.
To qualify for bonus rewards, the submissions must fit the following criteria:
- Confluence DC (LTS 7.19.16, LTS 8.5.3, or the current latest version 8.6.1)
- Rated CVSS (v3) 9.0+
- Submitted on or before
November 17December 1, 2023 at 11:59 PM PST
Below are the bonus details:
|Target||Previous Reward Range||New Reward Range|
|Confluence Data Center||$6,000||$30,000|
Note, bonuses are subject to change. If you have any questions, please reach out to firstname.lastname@example.org.
Tools for teams, from startup to enterprise. Atlassian provides the tools to help every team unleash their full potential.
Get Started (tl;dr version)
- Do not access, impact, destroy or otherwise negatively impact Atlassian customers, or customer data in anyway.
- Ensure that you use your @bugcrowdninja.com email address.
- Bounties are awarded differently per product (see below for more details on payouts).
- Ensure you understand the targets, scopes, exclusions, and rules in Scope & Rewards.
Due to the collaborative nature of Atlassian products, we are not interested in vulnerabilities surrounding enumeration and information gathering (being able to work effectively as a team is the purpose of our products). Instead, we're more interested in traditional web application vulnerabilities, as well as other vulnerabilities that can have a direct impact to our products. Below is a list of some of the vulnerability classes that we are seeking reports for:
- Cross Instance Data Leakage/Access**
- Server-side Remote Code Execution (RCE)
- Server-Side Request Forgery (SSRF)
- Stored/Reflected Cross-site Scripting (XSS)
- Cross-site Request Forgery (CSRF)
- SQL Injection (SQLi)
- XML External Entity Attacks (XXE)
- Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
- Path/Directory Traversal Issues
Ensure you review the out of scope and exclusions list for further details.
** Cross Instance Data Leakage/Access refers to unauthorized data access between instances.
Jira and Confluence:
- Use the following naming convention: bugbounty-test-<bugcrowd-name>.atlassian.net
- We only accept vulnerabilities affecting the latest version of the product you are testing
- Mobile Targets:
Creating Your Instance
Jira + Confluence Cloud
To access the instance and start your testing (after you've read and understood the scope and exclusions listed below, of course) you can follow the below steps:
- Navigate to this page here
- Complete the verification flow
- When it is time to rename your instance, using the following format: bugbounty-test-<bugcrowd-name> Note that <bugcrowd-name> should be replaced with your own bugcrowd username
- Click "Agree"
- Once your instance has been completed that's it - you can test away.
- Navigate to https://www.atlassian.com/software/compass
- Click "Get it free today"
- Sign up with your @bugcrowdninja.com email address
- Start testing!
- Navigate to https://bitbucket.org/ and select "Log In"
- Select "Sign Up" and create an account with your @bugcrowdninja.com email address.
- Start testing!
All Atlassian Server Products
To access the target and start your testing (after you've read and understood the scope and exclusions listed below, of course) you can follow the below steps:
- Navigate to www.atlassian.com
- Download the server version of the product you want to test,
- Install the product,
- (if required) Generate a trial license for the product,
- Start testing
Note: After the trial period expires you can generate another evaluation license and continue researching. Please remember to check that you are still on the latest version.
Disclosure Request Guidance
Submissions that meet the following requirements will be considered for disclosure upon request:
- The submission has been accepted
- The reported vulnerability has been fixed and released in production
- The submission does not regard a customer instance or a customer’s account
Scope and rewards
This program follows Bugcrowd’s standard disclosure terms.
For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email email@example.com. We will address your issue as soon as possible.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.