Lack of Rate Limiting on any of the targets.
The use of Automated scanners is strictly prohibited (we have these tools too - don't even think about using them)
Descriptive error messages (e.g. Stack Traces, application or server errors).
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Fingerprinting / banner disclosure on common/public services.
Disclosure of known public files or directories, (e.g. robots.txt).
Clickjacking and issues only exploitable through clickjacking.
CSRF on forms that are available to anonymous users (e.g. the contact form).
CSRF attacks that require knowledge of the CSRF token (e.g. attacks involving a local machine).
Logout Cross-Site Request Forgery (logout CSRF).
Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
Lack of Security Speedbump when leaving the site.
Weak Captcha / Captcha Bypass.
Login or Forgot Password page brute force and account lockout not enforced.
OPTIONS HTTP method enabled.
Username / email enumeration.
Missing HTTP security headers, specifically (https://www.owasp.org/index.php/List_of_useful_HTTP_headers), e.g.
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.
Cache-Control and Pragma
HTTP/DNS cache poisoning.
SSL/TLS Issues, e.g.
SSL Attacks such as BEAST, BREACH, Renegotiation attack.
SSL Forward secrecy not enabled.
SSL weak/insecure cipher suites.
No Load testing (DoS/DDoS etc) is allowed on the instance.
This includes application DoS as well as network DoS.
Self-XSS reports will not be accepted.
Similarly, any XSS where local access is required (i.e. User-Agent Header injection) will not be accepted. The only exception will be if you can show a working off-path MiTM attack that will allow for the XSS to trigger.
Vulnerabilities that are limited to unsupported browsers will not be accepted (i.e. "this exploit only works in IE6/IE7IE11"). A list of supported browsers can be found here.
Known vulnerabilities in used libraries, or the reports that an Atlassian product uses an outdated third party library (e.g. jQuery, Apache HttpComponents etc) unless you can prove exploitability.
Missing or incorrect SPF records of any kind.
Missing or incorrect DMARC records of any kind.
Source code disclosure vulnerabilities.
Information disclosure of non-confidential information (e. g. issue id, project id, commit hashes).
The ability to upload/download viruses or malicious files to the platform.
Email bombing/Flooding/rate limiting.
JWT in ajax requests ignores path and HTTP method.
For some of our apps, we allow arbitrary HTML templates to be defined by administrators. Those could potentially be used for XSS attacks, however since only administrators have access we don't consider those as security threats.