|Scope Type||Scope Name|
|android_application||Jira Cloud Mobile App for Android|
|android_application||Confluence Cloud Mobile App for Android|
|ios_application||Jira Cloud Mobile App for iOS|
|ios_application||Confluence Cloud Mobile App for iOS|
|other||Jira Service Desk|
|other||Other - (all other Atlassian targets)|
|web_application||Jira Cloud (bugbounty-test-|
|web_application||Jira Service Desk (bugbounty-test-|
|web_application||Confluence Cloud (bugbounty-test-|
|web_application||Bitbucket Cloud (https://bitbucket.org)|
|web_application||Bitbucket Pipelines (https://bitbucket.org/product/features/pipelines)|
|web_application||Confluence Team Calendars (https://www.atlassian.com/software/confluence/team-calendars)|
Out of Scope
|Scope Type||Scope Name|
|web_application||AgileCraft and any Related Assets|
|web_application||Any repository that you are not an owner of - do not impact Atlassian customers in any way.|
|web_application||Any internal or development services.|
|web_application||Third party add-ons from the marketplace are strictly excluded (vulnerabilities that exist within third party apps in any way) - we will pass on any vulnerabilities found, however they will not be eligible for bounty.|
to help every team unleash their full potential._
Due to the collaborative nature of Atlassian products, we are not interested in vulnerabilities surrounding enumeration and information gathering (being able to work effectively as a team is the purpose of our products). Instead, we're more interested in traditional web application vulnerabilities, as well as other vulnerabilities that can have a direct impact to our products. Below is a list of some of the vulnerability classes that we are seeking reports for:
Ensure you review the out of scope and exclusions list for further details.
** Cross Instance Data Leakage/Access refers to unauthorized data access between instances.
Target name | Type
Jira Cloud (bugbounty-test-<bugcrowd-name>.atlassian.net) | Website
Jira Service Desk (bugbounty-test-<bugcrowd-name>.atlassian.net) | Website
Confluence Cloud (bugbounty-test-<bugcrowd-name>.atlassian.net/wiki) |
Bitbucket Cloud (https://bitbucket.org) | Website
Bitbucket Pipelines (https://bitbucket.org/product/features/pipelines) |
Sourcetree (https://www.sourcetreeapp.com/) | Other
Any associated *.atlassian.io or *.atl-paas.net domain that can be exploited
DIRECTLY from the *.atlassian.net instance | Other
Jira Core | Other
JIRA Software | Other
Jira Service Desk | Other
Confluence | Other
Bitbucket Server | Other
Bamboo | Other
Crowd | Other
FishEye | Other
Crucible | Other
Jira Cloud Mobile App for iOS | iOS
Jira Cloud Mobile App for Android | Android
Confluence Cloud Mobile App for iOS | iOS
Confluence Cloud Mobile App for Android | Android
Jira Portfolio | Other
Confluence Team Calendars
(https://www.atlassian.com/software/confluence/team-calendars) | Website
Confluence Questions | Other
Other - (all other Atlassian targets) | Other
<https://admin.atlassian.com/atlassian-access> | Website
<https://apps.apple.com/us/app/confluence-server/id1288365159> | iOS
Target name | Type
AgileCraft and any Related Assets | Website
Any repository that you are not an owner of - do not impact Atlassian
customers in any way. | Website
<https://blog.bitbucket.org> | Website
Any internal or development services. | Website
bytebucket.org | Website
Third party add-ons from the marketplace are strictly excluded
(vulnerabilities that exist within third party apps in any way) - we will pass
on any vulnerabilities found, however they will not be eligible for bounty. |
*.bitbucket.io | Website
Any domain/property of Atlassian not listed in the targets section is strictly
out of scope (for more information please see the out of scope and exclusions
sections below). Researchers should use the "bugbounty-test-
All resources within your instance is in scope (see below for exclusions), this includes the all of the REST APIs and any .atlassian.io or .atl- paas.net service that can be exploited from an in scope product.
Jira Cloud (including Jira Ops, Jira Software and Jira Core)
Jira Service Desk Cloud
Bitbucket Cloud (bitbucket.org)
Jira Server (Software and Core)
Jira Service Desk Server
Admin Hub (https://admin.atlassian.com/atlassian-access)
Atlassian Developer (https://developer.atlassian.com)
Any associated *.atlassian.io or *.atl-paas.net domain that can be exploited DIRECTLY from your *.atlassian.net instance
Confluence Cloud Mobile Apps (for iOS and Android)
Jira Cloud Mobile Apps (for iOS and Android)
Confluence Team Calendars
SourceTree (for macOS and Windows)
JIRA + Confluence Cloud
To access the instance and start your testing (after you've read and understood the scope and exclusions listed below, of course) you can follow the below steps:
All Atlassian Server Products
To access the target and start your testing (after you've read and understood the scope and exclusions listed below, of course) you can follow the below steps:
Note : After the trial period expires you can generate another evaluation license and continue researching. Please remember to check that you are still on the latest version.
Anything not declared as a target or in scope above should be considered out of scope for the purposes of this bug bounty. However to help avoid grey areas, below are examples of what is considered out of scope.
Before disclosing an issue publicly we require that you first request permission from us. Atlassian will process requests for public disclosure on a per report basis. Requests to publicly disclose an issue that has not yet been fixed for customers will be rejected. Any researcher found publicly disclosing reported vulnerabilities without Atlassian's written consent will have any allocated bounty withdrawn and disqualified from the program.
When conducting vulnerability research according to this policy, we consider this research to be:
You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
Category | Tier 1 | Tier 2 | Tier 3
P1 | Up to $5,000 | Up to $3,000 | Up to $1,500
P2 | Up to $1,800 | Up to $900 | Up to $900
P3 | Up to $600 | Up to $300 | Up to $300
P4 | Up to $200 | Up to $100 | Up to $100
Any finding that is not listed in the above tiers can still be reported via this program. These reports will be rewarded as kudos only reports - any payout is at the discretion of the Atlassian Security Team.
Note: Atlassian uses CVSS to consistently score security vulnerabilities. Where discrepancies between the VRT and CVSS score exist, Atlassian will defer to the CVSS score to determine the priority.
This program follows Bugcrowd’s standard disclosure terms.
This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.