Atlassian
- $200 – $10,000 per vulnerability
DoS Scope Clarifications and Report Guidelines
Hi!
We've updated our scope to clarify what Denial of Service (DoS) attacks we are accepting across our products:
- Denial of Service (DoS) reports on cloud products are specifically out of scope. Do not perform DoS attacks/testing on any cloud instance.
- DoS reports on Server/Data Center products related to lack of rate limiting, request flooding, resource exhaustion, or other similar network layer/volume based attacks are not accepted.
Also in an effort to speed up response times, communicate clear security risks, and ultimately improve report acceptance we've included some recommended Reporting Guidelines:
- Brief summary (please include product versions affected/tested)
- Prerequisites (including any products, user privileges, tools required, files prepared, web server configurations, or any other initial conditions to prior to initiating the proof of concept)
- Reproduction steps including vulnerable endpoints, parameters, payloads used, source of any scripts used, or command line inputs (burp requests, screenshots and recordings are highly encouraged)
- Expected results/behavior vs actual results/behavior (include any formal documentation, resources, or links that state the expected behavior)
- Assessed security impact (as it relates to the Confidentiality, Integrity, and/or Availability of the product)
- Possible mitigations, fixes, or security controls
- References
If you have any questions, please reach out to support@bugcrowd.com.