Atlassian Rules For Security Testing Of Cloud Products
Atlassian customers may carry out security assessments against their Atlassian Cloud Products (as defined below) without prior approval. The term “security assessment” refers to any activity intended to determine, evaluate or test the security features and controls of Atlassian’s products and services (for example, penetration tests and vulnerability scans). This page sets forth the rules (“Security Test Rules”) applicable to customers who wish to perform security assessments against their Atlassian Cloud Products. Atlassian’s platform for providing Cloud Products (the “Atlassian Cloud Platform”) uses shared infrastructure to host your Cloud Products and Cloud Products belonging to other customers. Care must be taken to limit all security assessments to your Cloud Products or instances and avoid unintended impacts to other customers.
All security assessments must follow the Atlassian Security Test Rules as detailed on this page. Your use of the Cloud Products will continue to be subject to the Atlassian Cloud Terms of Service or other applicable terms and conditions of the agreement(s) (collectively, “Terms of Service”) under which you purchased the relevant Cloud Products. Any violation of these Security Test Rules or the relevant Terms of Service may result in suspension or termination of your account and/or legal action against you. You are responsible for any damage to the Atlassian Cloud Platform and any negative impact to other customers' data or use of the Atlassian Cloud Platform that is caused by your breach of these Security Test Rules or the Terms of Service.
Cloud Products Eligible For Security Assessments
The products listed below constitute “Cloud Products” for purposes of these Security Test Rules:
- Jira Software
- Jira Service Management
- Jira Align
- Jira Work Management
- Atlassian Access
Security Test Rules
- Security assessments may only be performed by Atlassian customers subscribed to the eligible Cloud Products listed above.
- You may perform security assessments only against your own instances of the Cloud Products in accordance with Atlassian’s policies pertaining to security assessments, including these Security Test Rules
- You may use automated tools/scanners to perform security assessments; however, keep in mind we also use those tools. Any results of an automated scanner must be reviewed and triaged by customer’s security team before being forwarded to Atlassian, with a working, reproducible proof of concept. We will not accept un-triaged output from security scanners
- Scanning, testing or accessing Cloud Products, instances or assets that do not belong to you, including those belonging to any other Atlassian customers
- Deliberately accessing any other customer’s data (including accessing or using any customer’s credentials)
- Non-technical attacks (including, but not limited to, social engineering, phishing or unauthorized access to infrastructure)
- Physical security attacks (including, but not limited to, Atlassian offices, equipment, employees, etc.)
- Testing products which are out of scope
- Targeting Atlassian corporate infrastructure
- Denial of Service (DoS), Distributed Denial of Service (DDoS), Simulated DoS, Simulated DDoS
- Port flooding
- Protocol flooding
- Request flooding (login request flooding, API request flooding)
- Submitting non-triaged reports from a vulnerability scanner or security assessment application
If you believe you have discovered a potential security flaw related to the Atlassian Cloud Products or other Atlassian service, you agree to report it within 24 hours by following these instructions: Report a Vulnerability. You may also submit findings to our bug bounty program, but please note: automated scanner findings will not be accepted. Once submitted, you must first request permission from us before disclosing an issue publicly. Results of security assessments are considered Atlassian’s confidential information. Atlassian will process requests for public disclosure on a per report basis. Requests to publicly disclose an issue that has not yet been fixed for customers will be rejected.
While intentionally accessing any other Atlassian customer’s data is strictly prohibited, if you believe you have found sensitive customer data (e.g., login credentials, API keys etc) or a way to access customer data (i.e., through a vulnerability) report it to Atlassian Support immediately, but do not attempt to validate the vulnerability or otherwise access a customer’s account or data.
In addition to Atlassian’s rights to suspend or terminate your account if you violate these Security Test Rules, Atlassian reserves the right to respond to any activities on its networks that appear to be malicious or otherwise present a threat. Atlassian may blocklist your IP(s) or IP range if we receive an abuse report for activities related to your security assessment. If you contact Atlassian Support to remove the restrictions, please provide the root cause of the reported activity, and detail what you have done to prevent the reported issue from recurring.
Optionally, if you would like to notify Atlassian Security of your intent to perform a Security Assesment, submit a ticket to Atlassian Support with the subject: Intent for Security Assessment. Include your testing date and time-range, source IP(s) or range, target domains and contact information. While prior notification is not required, it will help us to identify testing and not issue network blocking which may nullify your testing.
Partners and Resellers of Atlassian Cloud Products are responsible for their customers' Security Assessment activity.