• $100 – $1,500 per vulnerability

Program stats

  • Vulnerabilities rewarded 15
  • Validation within 18 days 75% of submissions are accepted or rejected within 18 days
  • Average payout $245 within the last 3 months

Latest hall of famers

Recently joined this program

This bounty is part of the Atlassian Marketplace Bounty Program

Nextup builds workflow automation bots for Slack that primarily interact with Atlassian Jira and Jira Service Desk. We build tools that allow people to easily interact with complex ticketing systems, all from within Slack.

Get Started (tl;dr version)

Do not access, impact, destroy or otherwise negatively impact Nextup or Atlassian customers, or customer data in any way.
Ensure that you use your email address.
Ensure you understand the targets, scopes, exclusions, and rules below.
Please note that the application listed in the target is in scope. The URL (the Marketplace page) itself is NOT.

Quick Links

Focus Areas

Below is a list of some of the vulnerability classes that we are seeking reports for:

  • Cross Instance Data Leakage/Access**
  • Server-side Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • Stored/Reflected Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • XML External Entity Attacks (XXE)
  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
  • Path/Directory Traversal Issues

Ensure you review the out of scope and exclusions list for further details.

** Cross Instance Data Leakage/Access refers to unauthorized data access between instances.


For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority. Please see below for deviations.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.