Vulnerability Information - What are we looking for?

When submitting an issue, please provide a technical description that allows us to assess exploitability and impact of the issue.

  • Provide steps to reproduce the issue, including any URLs or code involved.
  • If you are reporting a cross-site scripting (XSS), your exploit should at least pop up an alert in the browser. It is much better if the XSS exploit shows user's authentication cookie.
  • For a cross-site request forgery (CSRF), use a proper CSRF case when a third party causes the logged in victim to perform an action.
  • For a SQL injection, we want to see the exploit extracting database data, not just producing an error message.
  • HTTP request / response captures or simply packet captures are also very useful to us.

Please refrain from sending us links to non-Atlassian web sites, or issues in PDF / DOC / EXE files. Image files are OK. Make sure the bug is exploitable by someone other than the user (e.g. "self-XSS").

We are unable to respond to generic scanner reports. If you have had a security practitioner examine a generic scan report and they have isolated specific vulnerabilities that need to be addressed, we request that you use our Service Desk to report them individually. It's a simple process to register with the Service Desk, and helps us to provide you with updates as we investigate.


What we are not looking for

  • Auto-complete enabled or disabled
  • Clickjacking
  • Cookies not used for authentication or CSRF protection not being marked as Secure and or HTTPOnly
  • Presence or absence of HTTP headers (X-Frame-Options, CSP, nosniff and so on)
  • Stack traces