Atlassian

Bonus Rewards for Confluence Cloud

We are pleased to announce Atlassian is now offering bonuses (1.5x) for eligible Confluence Cloud submissions (bugcrowd-test-<bugcrowd-name>.atlassian.net/wiki) starting as of September 1, 2023 and will end until the end of the year (Dec 31 2023) or until our bonus reward pool runs out.

Below are the bonus details:

Priority/Bonus Qualifications	Previous Reward Amount	New Reward Amount
P1 on Confluence Cloud (See scope below.)	$10000	$15000
P2 on Confluence Cloud (See scope below.)	$3600	$5400

Focus Areas and Scope Clarifications

We are focusing on web application vulnerabilities that require a code change to the native Confluence Cloud application (not all inclusive). For example:

• Cross Instance Data Leakage/Access
• Server-side Remote Code Execution (RCE)
• Server-Side Request Forgery (SSRF)
• Stored/Reflected Cross-site Scripting (XSS)
• Cross-site Request Forgery (CSRF)
• SQL Injection (SQLi)
• XML External Entity Attacks (XXE)
• Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
• Path/Directory Traversal Issues
• Server-Side Template Injection (SSTI)

Vulnerabilities/targets not eligible for reward bonuses (but still eligible for normal rewards)

• Credential leaks
• Subdomain takeovers
• Vulnerabilities in Confluence Server/Data Center
• Vulnerabilities in publicly available Atlassian assets (*.atlassian.com)
• Vulnerabilities in other cloud applications (Jira, Bitbucket, admin.atlassian.com, id.atlassian.com, etc)
• Vulnerabilities in Confluence Mobile Application
• Vulnerabilities in Marketplace 1st party or 3rd party applications

Note, bonuses are subject to change. If you have any questions, please reach out to support@bugcrowd.com.

Happy Hunting!