Marketplace Bug Bounty Program

This bounty is part of the Atlassian Marketplace Bounty Program

BrizoIT is a team of Atlassian enthusiasts who develop Atlassian apps. Our goal is to create apps that resolve real life business problems. We strive to provide exceptional customer support.

The following findings are specifically excluded:

  • Access to exported calendar, including a private calendar (this is not a bug since the app was intended to share calendars with the public)

  • Testing privileges and REST services under admin accounts. Admins have rights to view, edit, and delete any data within their host Jira instance.

Important! Theoretical assumptions and predictions will be ignored. We will only consider step-by-step scenarios that lead to concrete findings. Videos and screenshots are welcome.

Note: BrizoIT uses CVSS to consistently score security vulnerabilities. Where discrepancies between the VRT and CVSS score exist, BrizoIT will defer to the CVSS score to determine the priority.

Worth noting: Company Calendar for Jira is designed to help people visualize any dates from Jira issues. It's a calendar-based organizer. While you may submit findings, it must have a clear threat or business impact for users. Otherwise, it is likely to be marked as won't fix or informational.

In addition, please note that our applications cache some Jira entities for 15-minutes interval. For instance, ‌you, as admin, have removed an access to Jira from a user. The user will be able to interact with the application for up to 15 minutes, assuming there is a JWT token that was generated while the user was still granted an access to Jira.

Get Started (tl;dr version)

  • Do not access, impact, destroy or otherwise negatively impact BrizoIT or Atlassians customers, or customer data in anyway.

  • Ensure that you use your @bugcrowdninja.com email address.

  • Ensure you understand the targets, scopes, exclusions, and rules below.

Focus Areas

Below is a list of some of the vulnerability classes that we are seeking reports for:

  • Cross Instance Data Leakage/Access *

  • Server-side Remote Code Execution (RCE)

  • Server-Side Request Forgery (SSRF)

  • Stored/Reflected Cross-site Scripting (XSS)

  • Cross-site Request Forgery (CSRF)

  • SQL Injection (SQLi)

  • Access Control Vulnerabilities

Ensure you review the out of scope and exclusions list for further details.

  • * Cross Instance Data Leakage/Access refers to unauthorized data access between instances.


Ratings/Rewards:

For the initial prioritization/rating of findings (with a few exceptions), this program will use the Bugcrowd Vulnerability Rating Taxonomy.

However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Please see Target Information for exclusions specific to this program.

Reward range

Last updated 30 Mar 2020 20:15:22 UTC

Technical severity

Reward

Technical severity

Reward

P1  Critical

$1,500

P2  Severe

$900

P3  Moderate

$300

P4  Low

$100

P5 submissions do not receive any rewards for this program.

Target information

  • Note: BrizoIT uses CVSS to consistently score security vulnerabilities. Where discrepancies between the VRT and CVSS score exist, BrizoIT will defer to the CVSS score to determine the priority.

 

Rules, Exclusions, and Scopes

Any domain/property of BrizoIT not listed in the targets section is strictly out of scope (for more information please see the out of scope and exclusions sections below). Researchers should use the "bugbounty-test-<bugcrowd-name>.atlassian.net" namespace provided in the instructions below. Please do not create additional instances outside of this namespace for testing.


Creating Your Instance

JIRA + Confluence Cloud
To access the instance and start your testing (after you've read and understood the scope and exclusions listed below, of course) you can follow the below steps:

  • Navigate to the checkout page here

  • Click "Next"

  • Complete the form, using the following format: bugbounty-test-<bugcrowd-name> Note that <bugcrowd-name> should be replaced with your own bugcrowd username

  • Click "Start now"

  • Once your instance has been completed that's it - you can test away.


Out-of-Scope

Anything not declared as a target or in scope above should be considered out of scope for the purposes of this bug bounty. However to help avoid grey areas, below are examples of what is considered out of scope.

  • Blind XSS must not return any user data that you do not have access to (e.g. Screen shots, cookies that aren't owned by you, etc); when testing for blind XSS, please use the least invasive test possible (e.g. calling 1x1 image or nonexistent page on your webserver, etc).

  • When testing, please exercise caution if injecting on any form that may be publicly visible - such as forums, etc. Before injection, please make sure your payload can be removed from the site. If it cannot be easily removed, please check with support@bugcrowd before performing the testing.

  • No pivoting or post exploitation attacks (i.e. using a vulnerability to find another vulnerability) are allowed on this program. DO NOT under any circumstance leverage a finding to identify further issues.

  • Any BrizoIT website is out of scope for this bounty unless it is directly accessible from one of the targets or any associated services attached to the instance.

  • Customer cloud instances and data are explicitly out of scope.

  • Any repository that you are not an owner of - do not impact BrizoIT or Atlassian customers in any way.

  • Only the latest version of our products are eligible for a reward.

  • Any internal or development services.

The following finding types are specifically excluded from the bounty

  • Lack of Rate Limiting on any of the targets.

  • The use of Automated scanners is strictly prohibited (we have these tools too - don't even think about using them)

  • Descriptive error messages (e.g. Stack Traces, application or server errors).

  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.

  • Fingerprinting / banner disclosure on common/public services.

  • Disclosure of known public files or directories, (e.g. robots.txt).

  • Clickjacking and issues only exploitable through clickjacking.

  • CSRF on forms that are available to anonymous users (e.g. the contact form).

    • CSRF attacks that require knowledge of the CSRF token (e.g. attacks involving a local machine).

  • Logout Cross-Site Request Forgery (logout CSRF).

  • Content Spoofing.

  • Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.

  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.

  • Lack of Security Speedbump when leaving the site.

  • Weak Captcha / Captcha Bypass.

  • Login or Forgot Password page brute force and account lockout not enforced.

  • OPTIONS HTTP method enabled.

  • Username / email enumeration.

  • Missing HTTP security headers, specifically:

    • Strict-Transport-Security.

    • X-Frame-Options.

    • X-XSS-Protection.

    • X-Content-Type-Options.

    • Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP.

    • Content-Security-Policy-Report-Only.

    • Cache-Control and Pragma

  • HTTP/DNS cache poisoning.

  • SSL/TLS Issues, e.g.

    • SSL Attacks such as BEAST, BREACH, Renegotiation attack.

    • SSL Forward secrecy not enabled.

    • SSL weak/insecure cipher suites.

  • No Load testing (DoS/DDoS etc) is allowed on the instance.

    • This includes application DoS as well as network DoS.

  • Self-XSS reports will not be accepted.

    • Similarly, any XSS where local access is required (i.e. User-Agent Header injection) will not be accepted. The only exception will be if you can show a working off-path MiTM attack that will allow for the XSS to trigger.

  • Vulnerabilities that are limited to unsupported browsers will not be accepted (i.e. "this exploit only works in IE11"). A list of supported browsers can be found here.

  • Known vulnerabilities in used libraries, or the reports that an Atlassian product uses an outdated third party library (e.g. jQuery, Apache HttpComponents etc) unless you can prove exploitability.

  • Missing or incorrect SPF records of any kind.

  • Missing or incorrect DMARC records of any kind.

  • Source code disclosure vulnerabilities.

  • Information disclosure of non-confidential information (e. g. issue id, project id, commit hashes).

  • The ability to upload/download viruses or malicious files to the platform.

  • Email bombing/Flooding/rate limiting.

  • JWT in ajax requests ignores path and HTTP method.

  • For some of our apps, we allow arbitrary HTML templates to be defined by administrators. Those could potentially be used for XSS attacks, however since only administrators have access we don't consider those as security threats.

Rules

  • You must ensure that customer data is not affected in any way as a result of your testing. Please ensure you're being non-destructive whilst testing and are only testing on instances that you own.

  • In addition to above, customer instances are not to be accessed in any way (i.e. no customer data is accessed, customer credentials are not to be used or "verified")

    • If you believe you have found sensitive customer data (e.g., login credentials, API keys etc) or a way to access customer data (i.e. through a vulnerability) report it, but do not attempt to successfully validate if/that it works.

  • Use of any automated tools/scanners is strictly prohibited and will lead to you being removed from the program (trust us, we have those tools too).

  • Reports need to be submitted in plain text (associated pictures/videos are fine as long as they're in standard formats). Non-plain text reports (e.g. PDF, DOCX) will be asked to be resubmitted in plain text.

  • Grants/awards are at the discretion of BrizoIT and we withhold the right to grant, modify or deny grants. But we'll be fair about it.

  • Tax implications of any payouts are the sole responsibility of the reporter.

  • Do NOT conduct non-technical attacks such as social engineering, phishing or unauthorized access to infrastructure.

  • Do NOT test the physical security of BrizoIT offices, employees, equipment, etc.

  • This bounty follows Bugcrowd’s standard disclosure terms.

Public Disclosure

Before disclosing an issue publicly we require that you first request permission from us. BrizoIT will process requests for public disclosure on a per report basis. Requests to publicly disclose an issue that has not yet been fixed for customers will be rejected. Any researcher found publicly disclosing reported vulnerabilities without BrizoIT written consent will have any allocated bounty withdrawn and disqualified from the program.

Safe Harbor

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;

  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;

  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and

  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.

Program rules

This program follows Bugcrowd’s standard disclosure terms.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.