Atlassian

Hi!

We've updated our scope to clarify what Denial of Service (DoS) attacks we are accepting across our products:

• Denial of Service (DoS) reports on cloud products are specifically out of scope. Do not perform DoS attacks/testing on any cloud instance.
• DoS reports on Server/Data Center products related to lack of rate limiting, request flooding, resource exhaustion, or other similar network layer/volume based attacks are not accepted.

Also in an effort to speed up response times, communicate clear security risks, and ultimately improve report acceptance we've included some recommended Reporting Guidelines:

• Brief summary (please include product versions affected/tested)
• Prerequisites (including any products, user privileges, tools required, files prepared, web server configurations, or any other initial conditions to prior to initiating the proof of concept)
• Reproduction steps including vulnerable endpoints, parameters, payloads used, source of any scripts used, or command line inputs (burp requests, screenshots and recordings are highly encouraged)
• Expected results/behavior vs actual results/behavior (include any formal documentation, resources, or links that state the expected behavior)
• Assessed security impact (as it relates to the Confidentiality, Integrity, and/or Availability of the product)
• Possible mitigations, fixes, or security controls
• References

If you have any questions, please reach out to support@bugcrowd.com.