Atlassian Opsgenie

  • $100 – $1,500 per vulnerability
  • Managed by Bugcrowd

Program stats

26 vulnerabilities rewarded

Validation within 4 days
75% of submissions are accepted or rejected within 4 days

$309.09 average payout (last 3 months)

Latest hall of famers

Recently joined this program

Disclosure

Please note: This program does not allow disclosure. You may not release information about vulnerabilities found in this program to the public.

Opsgenie is a modern incident management platform for operating always-on services, empowering Dev & Ops teams to plan for service disruptions and stay in control during incidents. With over 200 deep integrations and a highly flexible rules engine, Opsgenie centralizes alerts, notifies the right people reliably, and enables them to collaborate and take rapid action. Throughout the entire incident lifecycle, Opsgenie tracks all activity and provides actionable insights to improve productivity and drive continuous operational efficiencies.

Get Started (tl;dr version)

  • Testing for Opsgenie is ONLY to be performed on https://app.opsgeni.us.
  • Do not access, impact, destroy or otherwise negatively impact Opsgenie customers, or customer data in anyway.
  • Ensure that you use your @bugcrowdninja.com email address.
  • Ensure you understand the targets, scopes, exclusions, and rules below.
  • Application tests should be done against Opsgenie Lab , a clone of Opsgenie Production with no customer data in it.
    • No testing should be performed against *.opsgenie.com, *.opsgenie.net unless explicitly requested.
    • Note: Any link you click on https://docs.opsgenie.com will make you land on opsgenie.com which is production Opsgenie, please make sure you are testing on *.opsgeni.us domains.
    • Note: Mobile apps by default will connect to out of scope domains. See the note below about mobile apps.

Quick Links

  • Opsgenie Links
    • Website
      • https://app.opsgeni.us
      • https://docs.opsgenie.com/docs/welcome
      • https://docs.opsgenie.com/docs/opsgenie-quick-start-guide
      • https://docs.opsgenie.com/docs/new-user-guide
    • Docs
      • https://docs.opsgenie.com/
      • For real time support you can also use Intercom chat bubble on bottom right of www.opsgenie.com
    • API Docs
      • https://docs.opsgenie.com/docs/api-overview
      • https://docs.opsgenie.com/docs/api-access-management
      • https://docs.opsgenie.com/docs/authentication
      • https://docs.opsgenie.com/docs/alert-api
      • https://docs.opsgenie.com/docs/user-api
    • Mobile apps
      • (Android) https://play.google.com/store/apps/details?id=com.ifountain.opsgenie
      • (iOS) https://itunes.apple.com/us/app/opsgenie/id528590328
      • Note: by default, some out of scope domains are hard-coded into mobile apps. Make sure not to test out of scope domains. In order to make sure the mobile app is pointed at the correct, in-scope, sandbox server do the following:
        • Go to the sign-in screen
        • Long tap on screen for 3 seconds then release
        • Fill in the "sandbox url" field with https://mobileapp.opsgeni.us
        • Tap Next

Focus Areas

  • Authentication
  • Session Management
  • HTTP and Cookie Security
  • Multi Tenant Data Leakage/Access
  • Server-side Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • Stored/Reflected Cross-site Scripting (XSS)
  • Injection
  • XML External Entity Attacks (XXE)
  • Access Control & Authorization Vulnerabilities
  • Path/Directory Traversal Issues
  • File Upload & File hosting

Ensure you review the out of scope and exclusions list for further details.
** Cross Instance Data Leakage/Access refers to unauthorised data access between instances.

Reward Range

Last updated
Technical severity Reward range
p1 Critical $1,500 - $1,500
p2 Severe $900 - $900
p3 Moderate $300 - $300
p4 Low $100 - $100
P5 submissions do not receive any rewards for this program.

Targets

In scope

Target name Type
app.opsgeni.us Website
mobileapp.opsgeni.us Website
*.opsgeni.us Website
Opsgenie (IoS) iOS
Opsgenie (Android) Android

Out of scope

Target name Type
Opsgenie Production (*.opsgenie.com, billing systems, third parties) Website

Rules, Exclusions, and Scopes

Any domain/property of Opsgenie not listed in the targets section is strictly out of scope (for more detailed information please see the out of scope and exclusions sections below). Researchers should use their @bugcrowdninja.com email address when signing up for an account.

All resources within your instance are in scope (see below for exclusions), this includes the REST API.

Creating Your Instance

Researchers can sign up here: https://app.opsgeni.us/customer/register
Note: Remember to use your @bugcrowdninja.com email address

!! Do not forget to verify your account by clicking on the link via email, some features will not work until verification done. !!

Next page is a nice onboarding wizard which presents users with different features in Opsgenie, by following the wizard, new signups can have a fast onboarding experience.
You can get a paid account using the following credit card details:
Credit Card number: 4242 4242 4242 4242
Exp: Any date in the future
CVV: any three digits

Additional documents:

  • https://docs.opsgenie.com/docs/welcome
  • https://docs.opsgenie.com/docs/opsgenie-quick-start-guide
  • https://docs.opsgenie.com/docs/quick-set-up-video
  • https://docs.opsgenie.com/docs/new-user-guide
  • https://docs.opsgenie.com/docs/users

Out-of-Scope

Anything not declared as a target or in scope above should be considered out of scope for the purposes of this bug bounty. However to help avoid grey areas, below are examples of what is considered out of scope.

  • Blind XSS must not return any user data that you do not have access to (e.g. Screen shots, cookies that aren't owned by you, etc); when testing for blind XSS, please use the least invasive test possible (e.g. calling 1x1 image or nonexistent page on your webserver, etc).
  • When testing, please exercise caution if injecting on any form that may be publicly visible - such as forums, etc. Before injection, please make sure your payload can be removed from the site. If it cannot be easily removed, please check with support@bugcrowd before performing the testing.
  • No pivoting or post exploitation attacks (i.e. using a vulnerability to find another vulnerability) are allowed on this program. DO NOT under any circumstance leverage a finding to identify further issues.
  • Any Opsgenie website (e.g. www.opsgenie.com) is out of scope for this bounty unless it is directly accessible from the application
  • Customer cloud instances and data are explicitly out of scope.
  • Any repository that you are not an owner of - do not impact Opsgenie customers in any way.
  • Any Opsgenie billing system. However, specific endpoints that are used inside of a target are in scope. For example, if a REST endpoint is proven to be called from one of the targets, then that endpoint is considered to be in scope. However, all other endpoints are not considered to be in scope, as they are not called from the instance at any stage.
  • Any internal or development services
  • Third party add-ons/integrations others than those listed in the targets from the marketplace are strictly excluded (vulnerabilities that exist within third-party apps in any way) - we will pass on any vulnerabilities found, however, they will not be eligible for a bounty.

The following finding types are specifically excluded from the bounty

  • The use of Automated scanners is strictly prohibited (we have these tools too - don't even think about using them)
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • CSRF on forms that are available to anonymous users (e.g. the contact form).
    • CSRF attacks that require knowledge of the CSRF token (e.g. attacks involving a local machine).
  • Logout Cross-Site Request Forgery (logout CSRF).
  • Content Spoofing.
  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Lack of Security Speedbump when leaving the site.
  • Weak Captcha / Captcha Bypass.
  • Login or Forgot Password page brute force and account lockout not enforced.
  • OPTIONS HTTP method enabled.
  • Username / email enumeration.
  • Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
    • Strict-Transport-Security.
    • X-Frame-Options.
    • X-XSS-Protection.
    • X-Content-Type-Options.
    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.
    • Content-Security-Policy-Report-Only.
    • Cache-Control and Pragma
  • HTTP/DNS cache poisoning.
  • SSL/TLS Issues, e.g.
    • SSL Attacks such as BEAST, BREACH, Renegotiation attack.
    • SSL Forward secrecy not enabled.
    • SSL weak/insecure cipher suites.
  • No Load testing (DoS/DDoS etc) is allowed on the instance.
    • This includes application DoS as well as network DoS.
  • Self-XSS reports will not be accepted.
    • Similarly, any XSS where local access is required (i.e. User-Agent Header injection) will not be accepted. The only exception will be if you can show a working off-path MiTM attack that will allow for the XSS to trigger.
  • Vulnerabilities that are limited to outdated browsers will not be accepted (i.e. "this exploit only works in IE6/IE7"). Ensure you're testing on the latest versions of your browser.
  • Known vulnerabilities in used libraries, or the reports that Opsgenie uses an outdated third party library (e.g. jQuery, Apache HttpComponents etc) unless you can prove exploitability.
  • Missing or incorrect SPF records of any kind. This includes DMARC.
  • Source code disclosure vulnerabilities.
  • Information disclosure of non-confidential information (e. g. issue id, project id, commit hashes).
  • The ability to upload/download viruses or malicious files to the platform.
  • Email bombing/Flooding/rate limiting

Rules

  • All testing must be done against *.opsgeni.us
  • You must ensure that customer data is not affected in any way as a result of your testing. Please ensure you're being non-destructive whilst testing and are only testing on instances that you own.
  • In addition to above, customer instances are not to be accessed in any way (i.e. no customer data is accessed, customer credentials are not to be used or "verified")
    • If you believe you have found sensitive customer data (e.g., login credentials, API keys etc) or a way to access customer data (i.e. through a vulnerability) report it, but do not attempt to successfully validate if/that it works.
  • Use of any automated tools/scanners is strictly prohibited and will lead to you being removed from the program (trust us, we have those tools too).
  • Reports need to be submitted in plain text (associated pictures/videos are fine as long as they're in standard formats). Non-plain text reports (e.g. PDF, DOCX) will be asked to be resubmitted in plain text.
  • Grants/awards are at the discretion of Atlassian and we withhold the right to grant, modify or deny grants. But we'll be fair about it.
  • Tax implications of any payouts are the sole responsibility of the reporter.
  • Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure.
  • Do NOT test the physical security of Opsgenie offices, employees, equipment, etc.
  • This bounty follows Bugcrowd’s standard disclosure terms.

Public Disclosure

Before disclosing an issue publicly we require that you first request permission from us. Opsgenie will process requests for public disclosure on a per report basis. Requests to publicly disclose an issue that has not yet been fixed for customers will be rejected. Any researcher found publicly disclosing reported vulnerabilities without Opsgenie's written consent will have any allocated bounty withdrawn and disqualified from the program.

Rewards:

Any finding that is not listed in the above tiers can still be reported via this program. These reports will be rewarded as kudos only reports - any payout is at the discretion of the Opsgenie Security Team.

Note: Opsgenie uses CVSS to consistently score security vulnerabilities. Where discrepancies between the VRT and CVSS score exist, Opsgenie will defer to the CVSS score to determine the priority.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.