• $200 – $4,000 per vulnerability

Program stats

  • Vulnerabilities rewarded 18
  • Validation within 4 days 75% of submissions are accepted or rejected within 4 days

Latest hall of famers

Recently joined this program

Halp allows teams to triage requests, automate workflows, and solve tickets faster. Halp currently integrates with Jira, Zendesk, Confluence and Zapier.

Ratings/Rewards and Bounty Rules:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Note: Atlassian uses CVSS to consistently score security vulnerabilities. Where discrepancies between the VRT and CVSS score exist, Atlassian will defer to the CVSS score to determine the priority.

To qualify for a bounty you must:

  • Report a qualifying vulnerability that is in the scope of our program (also below)
  • Be the first person to report the vulnerability
  • Adhere to our disclosure guidelines (see below)
  • Only test against your own accounts and data
  • Be reasonable with automated scanning methods so as to not degrade services
  • Refrain from disclosing the vulnerability until we've addressed it
  • Communicate with our security team exclusively via Bugcrowd (the security team will be way more impressed by your exploits than our support or social media teams)

Reporting Guidelines

Where applicable, please include the following information. This will greatly assist in the triage, validation, and acceptance processes and will result in more clear security risk communication and timely report acceptances.

  • Brief summary (please include product versions affected/tested)
  • Prerequisites (including any products, user privileges, tools required, files prepared, web server configurations, or any other initial conditions to prior to initiating the proof of concept)
  • Reproduction steps including vulnerable endpoints, parameters, payloads used, source of any scripts used, or command line inputs (burp requests, screenshots and recordings are highly encouraged)
  • Expected results/behavior vs actual results/behavior (include any formal documentation, resources, or links that state the expected behavior)
  • Assessed security impact (as it relates to the Confidentiality, Integrity, and/or Availability of the product)
  • Possible mitigations, fixes, or security controls

Focus Areas

Due to the collaborative nature of Atlassian products, we are not interested in vulnerabilities surrounding enumeration and information gathering (being able to work effectively as a team is the purpose of our products). Instead, we're more interested in traditional web application vulnerabilities, as well as other vulnerabilities that can have a direct impact to our products. Below is a list of some of the vulnerability classes that we are seeking reports for:

  • Cross Instance Data Leakage/Access**
  • Server-side Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • Stored/Reflected Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • XML External Entity Attacks (XXE)
  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
  • Path/Directory Traversal Issues

Ensure you review the out of scope and exclusions list for further details.

** Cross Instance Data Leakage/Access refers to unauthorized data access between instances.

Access and credentials

Halp can be accessed via an existing Slack or Microsoft Teams account. Ensure that your Slack/Microsoft Teams account is registered under your @bugcrowdninja.com email address in order to get a full Halp subscription.

For the standalone ticketing platform, please sign up with your @bugcrowdninja.com email address in order to get a full Halp subscription. You will be able to add the integration on the following site https://halp.com/. Please note that the site itself is not in scope.

In order for the Ticketing integration to work properly, your Slack or Microsoft Teams instance will also need to have Jira or Zendesk. Additionally, there is a Confluence integration that helps support the Ticketing integration.

JIRA + Confluence Cloud
To access the instance and start your testing (after you've read and understood the scope and exclusions listed below, of course) you can follow the below steps:

  • Navigate to the signup page and complete the sign up by email process here
  • Click "Agree"
  • Complete the form, using the following format: bugbounty-test-<bugcrowd-name> Note that <bugcrowd-name> should be replaced with your own bugcrowd username
  • Click "Start now"
  • Once your instance has been completed that's it - you can test away.
  • Proceed to the application's marketplace listing and install the respective application. There is a tab for installation instructions should you need guidance.

Disclosure Request Guidance

Submissions that meet the following requirements will be considered for disclosure upon request:

  • The submission has been accepted
  • The reported vulnerability has been fixed and released in production
  • The submission does not regard a customer instance or a customer’s account

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.