If you believe you have found a security issue that meets Atlassian’s definition of a vulnerability, please submit the report to our security team via one of the methods below:
If you are a customer:
If you are a security researcher:
Only vulnerabilities submitted through our bug bounty program are eligible to receive a bounty payment.
Please include the following information in your report:
- Type of issue (cross-site scripting, SQL injection, remote code execution, etc.)
- Product and version with the bug or a URL if dealing with a cloud service
- The potential impact of the vulnerability (i.e. what data can be accessed or modified)
- Step-by-step instructions to reproduce the issue
- Any proof-of-concept or exploit code required to reproduce
If you wish to encrypt your submission with our PGP key, please download it here.
We are unable to respond to bulk reports generated by automated scanners. If you identify issues using an automated scanner, it is recommended that you have a security practitioner review the issues and ensure that the findings are valid before submitting a vulnerability report to Atlassian.