Trusted by millions, Trello is a visual collaboration tool that creates a
shared perspective on any project. Trello’s boards, lists, and cards enable
you to organize and prioritize your personal and work life in a fun, flexible,
and rewarding way.
Ratings/Rewards and Bounty Rules:
For the initial prioritization/rating of findings, this program will use
theBugcrowd Vulnerability Rating
Taxonomy. However, it is
important to note that in some cases a vulnerability priority will be modified
due to its likelihood or impact. In any instance where an issue is downgraded,
a full, detailed explanation will be provided to the researcher - along with
the opportunity to appeal, and make a case for a higher priority.
Note: Atlassian uses CVSS to consistently score security vulnerabilities.
Where discrepancies between the VRT and CVSS score exist, Atlassian will defer
to the CVSS score to determine the priority.
To qualify for a bounty you must:
- Report a qualifying vulnerability that is in the scope of our program (also below)
- Be the first person to report the vulnerability
- Adhere to our disclosure guidelines (see below)
- Only test against your own accounts and data
- Be reasonable with automated scanning methods so as to not degrade services
- Refrain from disclosing the vulnerability until we've addressed it
- Communicate with our security team exclusively via Bugcrowd (the security team will be way more impressed by your exploits than our support or social media teams)
Last updated 2 Oct 2018 19:50:46 UTC
Technical severity | Reward range
p1 Critical | Up to: $5,000
p2 Severe | Up to: $1,800
p3 Moderate | Up to: $600
p4 Low | Up to: $200
P5 submissions do not receive any rewards for this program.
Target name | Type
trello.com | Website
api.trello.com | Website
*.trello.services | Website
<https://butlerfortrello.com/> | Website
Out of scope
Target name | Type
e.trello.com | Website
help.trello.com | Website
trello-attachments.s3.amazonaws.com | Website
Other domains (e.g. trello-attachments.s3.amazonaws.com) or subdomains not
listed above (e.g. e.trello.com, help.trello.com) and 3rd party services, are
not in scope and will not qualify for a bounty.
Vulnerabilities affecting blog.trello.com will only qualify for a bounty if
they include a working proof of concept showing how the issue can compromise
user data on trello.com.
You are free to make as many accounts as needed to test on Trello - please
ensure that you use your @bugcrowdninja.com email address.
Reports must include the following:
- A Proof of Concept
- Detailed steps on how to reproduce the vulnerability
- Explanation of how the attack could be executed in a real world scenario to compromise user accounts or data
- Customer instances and data are explicitly out of scope.
- Any Board/Card/Data that you are not an owner of - do not impact Trello customers in any way.
- Any Trello billing system. However, specific endpoints that are used inside of a target are in scope. For example, if a REST endpoint is proven to be called from one of the targets, then that endpoint is considered to be in scope. However, all other endpoints are not considered to be in scope, as they are not called from the instance at any stage.
- Any internal or development services
The following finding types are specifically excluded from the bounty
- The use of Automated scanners is strictly prohibited (we have these tools too - don't even think about using them)
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Fingerprinting / banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- CSRF attacks that require knowledge of the CSRF token (e.g. attacks involving a local machine).
- Logout Cross-Site Request Forgery (logout CSRF).
- Content Spoofing.
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Cookies missing secure/HttpOnly.
- Lack of Security Speedbump when leaving the site.
- Weak Captcha / Captcha Bypass.
- Login or Forgot Password page brute force and account lockout not enforced.
- OPTIONS HTTP method enabled.
- Username / email enumeration.
- Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
- Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.
- Cache-Control and Pragma
- HTTP/DNS cache poisoning.
- SSL/TLS Issues, e.g.
- SSL Attacks such as BEAST, BREACH, Renegotiation attack.
- SSL Forward secrecy not enabled.
- SSL weak/insecure cipher suites.
- No Load testing (DoS/DDoS etc) is allowed on the instance.
- This includes application DoS as well as network DoS.
- Self-XSS reports will not be accepted.
- Similarly, any XSS where local access is required (i.e. User-Agent Header injection) will not be accepted. The only exception will be if you can show a working off-path MiTM attack that will allow for the XSS to trigger.
- Vulnerabilities that are limited to unsupported browsers will not be accepted (i.e. "this exploit only works in IE6/IE7"). A list of supported browsers can be found here.
- Known vulnerabilities in used libraries, or the reports that an Atlassian product uses an outdated third party library (e.g. jQuery, Apache HttpComponents etc) unless you can prove exploitability.
- Missing or incorrect SPF records of any kind.
- Source code disclosure vulnerabilities.
- Information disclosure of non-confidential information (e. g. issue id, project id, commit hashes).
- The ability to upload/download viruses or malicious files to the platform.
- Email bombing/Flooding/rate limiting
- You must ensure that customer data is not affected in any way as a result of your testing. Please ensure you're being non-destructive whilst testing and are only testing on instances that you own.
- In addition to above, customer instances are not to be accessed in any way (i.e. no customer data is accessed, customer credentials are not to be used or "verified")
- If you believe you have found sensitive customer data (e.g., login credentials, API keys etc) or a way to access customer data (i.e. through a vulnerability) report it, but do not attempt to successfully validate if/that it works.
- Use of any automated tools/scanners is strictly prohibited and will lead to you being removed from the program (trust us, we have those tools too).
- Reports need to be submitted in plain text (associated pictures/videos are fine as long as they're in standard formats). Non-plain text reports (e.g. PDF, DOCX) will be asked to be resubmitted in plain text.
- Grants/awards are at the discretion of Atlassian and we withhold the right to grant, modify or deny grants. But we'll be fair about it.
- Tax implications of any payouts are the sole responsibility of the reporter.
- Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure.
- Do NOT test the physical security of Trello offices, employees, equipment, etc.
- This bounty follows Bugcrowd’s standard disclosure terms.
Before disclosing an issue publicly we require that you first request
permission from us. Atlassian will process requests for public disclosure on a
per report basis. Requests to publicly disclose an issue that has not yet been
fixed for customers will be rejected. Any researcher found publicly disclosing
reported vulnerabilities without Atlassian's written consent will have any
allocated bounty withdrawn and disqualified from the program.
We're happy to acknowledge security researchers that have helped us keep our
users' data secure on our Hall of Fame page.
This program follows Bugcrowd’s standard disclosure
This program does not offer financial or point-based rewards for P5 —
Informational findings. Learn more about Bugcrowd’s VRT.