Vulnerability Information - What are we looking for?
When submitting an issue, please provide a technical description that allows us to assess exploitability and impact of the issue.
- Provide steps to reproduce the issue, including any URLs or code involved.
- If you are reporting a cross-site scripting (XSS), your exploit should at least pop up an alert in the browser. It is much better if the XSS exploit shows user's authentication cookie.
- For a cross-site request forgery (CSRF), use a proper CSRF case when a third party causes the logged in victim to perform an action.
- For a SQL injection, we want to see the exploit extracting database data, not just producing an error message.
- HTTP request / response captures or simply packet captures are also very useful to us.
Please refrain from sending us links to non-Atlassian web sites, or issues in PDF / DOC / EXE files. Image files are OK. Make sure the bug is exploitable by someone other than the user (e.g. "self-XSS").
We are unable to respond to generic scanner reports. If you have had a security practitioner examine a generic scan report and they have isolated specific vulnerabilities that need to be addressed, we request that you use our Service Desk to report them individually. It's a simple process to register with the Service Desk, and helps us to provide you with updates as we investigate.
What we are not looking for
- Auto-complete enabled or disabled
- Clickjacking on pages that only contain static content or currently in JIRA Server, for more details see https://jira.atlassian.com/browse/JRASERVER-25143.
- Cookies not used for authentication or CSRF protection not being marked as Secure and or HTTPOnly
- Presence or absence of HTTP headers (X-Frame-Options, CSP, nosniff and so on)
- Stack traces
- Content spoofing.
Atlassian Security PGP details can be found here.
Before disclosing an issue publicly we require that you first request permission from us. Atlassian will process requests for public disclosure on a per report basis.
Public disclosure requests will only be considered once the reported vulnerability is fixed.