• $200 – $4,000 per vulnerability
  • Safe harbor

Program stats

  • Vulnerabilities rewarded 143
  • Validation within 7 days 75% of submissions are accepted or rejected within 7 days
  • Average payout $200 within the last 3 months

Latest hall of famers

Recently joined this program

745 total

Opsgenie is a modern incident management platform for operating always-on services, empowering Dev & Ops teams to plan for service disruptions and stay in control during incidents. With over 200 deep integrations and a highly flexible rules engine, Opsgenie centralizes alerts, notifies the right people reliably, and enables them to collaborate and take rapid action. Throughout the entire incident lifecycle, Opsgenie tracks all activity and provides actionable insights to improve productivity and drive continuous operational efficiencies.

Get Started (tl;dr version)

  • Testing for Opsgenie is to be performed on https://*.opsgenie.com using free-trial accounts.
  • Do not access, impact, destroy or otherwise negatively impact Opsgenie customers, or customer data in anyway.
  • Ensure that you use your @bugcrowdninja.com email address.
  • Ensure you understand the targets, scopes, exclusions, and rules below.

Quick Links

Focus Areas

  • Authentication
  • Session Management
  • HTTP and Cookie Security
  • Multi Tenant Data Leakage/Access
  • Server-side Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • Stored/Reflected Cross-site Scripting (XSS)
  • Injection
  • XML External Entity Attacks (XXE)
  • Access Control & Authorization Vulnerabilities
  • Path/Directory Traversal Issues
  • File Upload & File hosting

Ensure you review the out of scope and exclusions list for further details.
** Cross Instance Data Leakage/Access refers to unauthorised data access between instances.

Creating Your Instance

Researchers can sign up here: https://www.atlassian.com/software/opsgenie/try
Note: Remember to use your @bugcrowdninja.com email address

!! Do not forget to verify your account by clicking on the link via email, some features will not work until verification is complete. !!

Additional documents:

Disclosure Request Guidance

Submissions that meet the following requirements will be considered for disclosure upon request:

  • The submission has been accepted
  • The reported vulnerability has been fixed and released in production
  • The submission does not regard a customer instance or a customer’s account

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.