Vulnerability Information - What are we looking for?
When submitting an issue, please provide a technical description that allows us to assess exploitability and impact of the issue.
- Provide steps to reproduce the issue, including any URLs or code involved.
- If you are reporting a cross-site scripting (XSS), your exploit should at least pop up an alert in the browser. It is much better if the XSS exploit shows user's authentication cookie.
- For a cross-site request forgery (CSRF), use a proper CSRF case when a third party causes the logged in victim to perform an action.
- For a SQL injection, we want to see the exploit extracting database data, not just producing an error message.
- HTTP request / response captures or simply packet captures are also very useful to us.
Please refrain from sending us links to non-Atlassian web sites, or issues in PDF / DOC / EXE files. Image files are OK. Make sure the bug is exploitable by someone other than the user (e.g. "self-XSS").
We are unable to respond to generic scanner reports. If you have had a security practitioner examine a generic scan report and they have isolated specific vulnerabilities that need to be addressed, we request that you use our Service Desk to report them individually. It's a simple process to register with the Service Desk, and helps us to provide you with updates as we investigate.
What we are not looking for
- Auto-complete enabled or disabled
- Cookies not used for authentication or CSRF protection not being marked as Secure and or HTTPOnly
- Presence or absence of HTTP headers (X-Frame-Options, CSP, nosniff and so on)
- Stack traces