This bounty is part of the Atlassian Marketplace Bounty Program

Stiltsoft is a highly-motivated team of developers with rich experience in the Atlassian Ecosystem since 2010. As an Atlassian Platinum Marketplace Partner, we deliver new functionality to Confluence, Jira, and Bitbucket, developing handy apps for these tools. 4000+ customers from 80 countries worldwide trust Stiltsoft, using our solutions to boost their productivity.

Get Started (tl;dr version)

• Do not access, impact, destroy or otherwise negatively impact Stiltsoft or Atlassian customers, or customer data in any way.
• Ensure that you use your @bugcrowdninja.com email address.
• Please do not test marketplace.atlassian.com, but install our apps in your Jira/Confluence/Bitbucket instance and test the apps themselves.
• Do not post reviews for our apps on marketplace.atlassian.com. Failure to adhere to this will result in not receiving any reward for any of your submissions and possible removal from the program.
• Ensure you understand the targets, scopes, exclusions, and rules below.

Quick Links

• Table Filter and Charts for Confluence (Cloud)
• Table Filter and Charts for Confluence (Server)
• Table Filter and Charts for Confluence (Data Center)
• Courses and Quizzes - LMS for Confluence (Cloud)
• Awesome Graphs for Bitbucket (Cloud)
• Awesome Graphs for Bitbucket (Server)
• Awesome Graphs for Bitbucket (Data Center)
• TeamCity Integration for Jira (Cloud)
• Customer Case - Jira Support & Feedback for Jira (Cloud)
• Handy Macros for Confluence (Cloud)
• Spreadsheet Issue Field Editor
• Smart Attachments for Jira (Cloud) *Webhook Manager for Confluence (Cloud)
• Project Velocity Dashboard (Cloud)
• User Profile Manager - CRM in Jira (Cloud)
• Employee Performance Ratings (Cloud)

Focus Areas

Below is a list of some of the vulnerability classes that we are seeking reports for:

• Cross Instance Data Leakage/Access**
• Server-side Remote Code Execution (RCE)
• Server-Side Request Forgery (SSRF)
• Stored/Reflected Cross-site Scripting (XSS)
• Cross-site Request Forgery (CSRF)
• SQL Injection (SQLi)
• XML External Entity Attacks (XXE)
• Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
• Path/Directory Traversal Issues

Ensure you review the out of scope and exclusions list for further details.

** Cross Instance Data Leakage/Access refers to unauthorized data access between instances.

Please ensure you're being non-destructive whilst testing and are only testing using accounts and instances created via the instructions under "Creating your instance". Any testing/spamming live support portals or Marketplace sites will disqualify you and you will be banned from Atlassian programs.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please email support@bugcrowd.com. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.