Craft Coders Marketplace Bug Bounty

  • $100 – $1,500 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 5
  • Validation within 8 days 75% of submissions are accepted or rejected within 8 days

Latest hall of famers

Recently joined this program

This bounty is part of the Atlassian Marketplace Bounty Program

!!! More than 90% of researchers get this wrong (don't be one of them) !!!

This bug bounty is for the add-on NOT the marketplace listing on

You will need to install the add-on to perform tests.

  • Do not submit reports about
  • Do not try to hack us by writing a review on (the marketplace site is out of scope)
  • Do not try to hack us by submitting issue reports (the help desk is out of scope)
  • Read! this brief.

Do yourself and us a favor and don't waste your time. Reports for will be rejected.
Especially fake reviews testing the log4j bug or other vulnerabilities are very annoying to us, as we have to contact Atlassian for everyone of them to delete them.


Get Started (tl;dr version)

  • Do not access, impact, destroy or otherwise negatively impact Winter, Jülg und Gellweiler – Softwareengineering Gbr. / Craft Coders or Atlassian customers, or customer data in anyway.
  • Ensure that you use your email address.
  • Ensure you understand the targets, scopes, exclusions, and rules below.
  • Please note that the application listed in the target is in scope. The URL (the marketplace page) itself is NOT
  • The website hosting documentation is NOT in scope.

Quick Links

Note: If the same vulnerability exists in different hosting solutions of a single app, we may pay for this vulnerability once if the codebase and the fix is the same. We reserve the right to make this decision on a case by case basis.

Additionally, there are apps that have distinct listings but share the same codebase. In such case we will only pay once across these apps, unless an environmentally unique vulnerability is discovered.

Focus Areas

Below is a list of some of the vulnerability classes that we are seeking reports for:

  • email header injection
  • anything related to email and our add-on
  • Cross Instance Data Leakage/Access**
  • Server-side Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • Stored/Reflected Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • XML External Entity Attacks (XXE)
  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
  • Path/Directory Traversal Issues

Ensure you review the out of scope and exclusions list for further details.

** Cross Instance Data Leakage/Access refers to unauthorized data access between instances.
Please ensure you're being non-destructive whilst testing and are only testing using accounts and instances created via the instructions under "Creating your instance". Any testing/spamming live support portals or Marketplace sites will disqualify you and you will be banned from Atlassian programs.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. Winter, Jülg und Gellweiler – Softwareengineering Gbr. / Craft Coders uses CVSS to consistently score security vulnerabilities. Where discrepancies between the VRT and CVSS score exist, Winter, Jülg und Gellweiler – Softwareengineering Gbr. / Craft Coders will defer to the CVSS score to determine the priority. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.