1. Home
  2. Bug Bounty Programs
  3. Atlassian
Bugcrowd · Bug Bounty

Atlassian Bug Bounty Program

Complete guide to Atlassian's bug bounty program on Bugcrowd. View in-scope assets, reward amounts, response times, and tips for finding vulnerabilities.

Program Overview

Atlassian runs a bug bounty program on Bugcrowd with a maximum payout of $12,000. The program has 50 in-scope assets and is managed by Bugcrowd's triage team.

50
In-Scope Assets
$12,000
Max Payout

In-Scope Assets

AssetTypeMax SeverityEligible
https://admin.atlassian.com/atlassian-guardWEBSITE
https://admin.atlassian.com/WEBSITE
https://id.atlassian.com/loginWEBSITE
https://start.atlassian.comWEBSITE
https://bitbucket.orgWEBSITE
https://www.atlassian.com/software/confluenceWEBSITE
https://www.atlassian.com/software/confluence/premiumWEBSITE
https://play.google.com/store/apps/details?id=com.atlassian.android.confluence.core&hl=en_US&gl=USANDROID
https://apps.apple.com/us/app/confluence-cloud/id1006971684IOS
https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&hl=en_US&gl=USANDROID
https://apps.apple.com/us/app/jira-cloud-by-atlassian/id1006972087IOS
https://www.atlassian.com/software/jira/service-managementWEBSITE
https://www.atlassian.com/software/jiraWEBSITE
https://www.atlassian.com/software/jira/work-managementWEBSITE
Any associated *.atlassian.com or *.atl-paas.net domain that can be exploited DIRECTLY from the *.atlassian.net instanceOTHER
https://www.atlassian.com/software/rovoWEBSITE
https://support.atlassian.com/rovo/docs/use-rovo-dev-cli/OTHER
https://www.atlassian.com/software/rovo-devWEBSITE
https://mcp.atlassian.comOTHER
https://www.atlassian.com/software/compassWEBSITE
https://marketplace.atlassian.comWEBSITE
https://www.atlassian.com/software/atlasWEBSITE
https://www.atlassian.com/enterprise/data-center/bitbucketWEBSITE
https://www.atlassian.com/enterprise/data-center/confluenceOTHER
https://www.atlassian.com/enterprise/data-center/crowdWEBSITE
https://www.atlassian.com/enterprise/data-center/jiraWEBSITE
https://www.atlassian.com/enterprise/data-center/jira/service-managementWEBSITE
https://www.atlassian.com/enterprise/data-center/jiraWEBSITE
https://*.atlastunnel.comWEBSITE
Any other *.atlassian.com or *.atl-paas.net domain that cannot be exploited directly from a *.atlassian.net instanceWEBSITE
https://www.loom.com/WEBSITE
https://www.loom.com/downloadWEBSITE
https://www.loom.com/downloadWEBSITE
https://play.google.com/store/apps/details?id=com.loom.android&hl=en_US&pli=1ANDROID
https://apps.apple.com/us/app/loom-screen-recorder/id1474480829IOS
https://chromewebstore.google.com/detail/loom-%E2%80%93-screen-recorder-sc/liecbddmkiiihnedobmlmillhodjkdmb?hl=en-US&pli=1OTHER
https://www.atlassian.com/software/bambooWEBSITE
https://confluence.atlassian.com/doc/install-atlassian-companion-992678880.htmlOTHER
https://play.google.com/store/apps/details?id=com.atlassian.confluence.serverANDROID
https://apps.apple.com/us/app/confluence-server/id1288365159IOS
https://www.atlassian.com/software/crucibleWEBSITE
https://www.atlassian.com/software/fisheyeWEBSITE
https://play.google.com/store/apps/details?id=com.atlassian.jira.server&hl=en_US&gl=USANDROID
https://apps.apple.com/us/app/jira-server/id1405353949IOS
https://www.sourcetreeapp.com/OTHER
Other - (all other Atlassian targets)OTHER
https://www.atlassian.com/software/jira/product-discoveryWEBSITE
Forge PlatformOTHER
GraphQL API (bugbounty-test-<bugcrowd-name>.atlassian.net/gateway/api/graphql)API
https://www.npmjs.com/package/@forge/cli OTHER

Out-of-Scope Assets

  • Any internal or development services.
  • https://bugcrowd.com/atlassianapps
  • https://shop.atlassian.com
  • bytebucket.org
  • *.bitbucket.io
  • https://blog.bitbucket.org
  • HipChat (inc. HipChat Data Center, HipChat Desktop, HipChat Mobile)
  • Stride (inc. Stride Video, Stride Desktop, Stride Mobile)
  • https://support.atlassian.com
  • Any customer instance. Do not test customer instances or affect customer data. Customer cloud instances may be in the form of <customer>.atlassian.net or <customer>.jira.com. Test only your own instances.
  • Any repository that you are not an owner of - do not impact Atlassian customers in any way.
  • https://support.loom.com
  • https://info.loom.com/

Tips for Hacking Atlassian

  1. Read the policy — Understand what's in scope, out of scope, and any specific testing restrictions before you start.
  2. Enumerate the attack surface — Use subdomain enumeration and directory bruteforcing to map all accessible endpoints.
  3. Focus on high-impact bugs — Look for SQL injection, SSRF, and IDOR vulnerabilities first.
  4. Test authentication flows — Check for OAuth misconfigurations and CSRF in login/signup flows.
  5. Write clear reports — Include steps to reproduce, impact assessment, and suggested remediation. Use Burp Suite to capture evidence.

Frequently Asked Questions

How do I start hacking Atlassian?

Sign up on Bugcrowd, read the program policy carefully, review the in-scope assets listed above, and start testing. Always stay within scope and follow responsible disclosure guidelines.

Does Atlassian pay bounties?

Yes, Atlassian offers monetary rewards for valid security vulnerabilities.

What types of vulnerabilities does Atlassian accept?

Atlassian accepts reports for vulnerabilities found in their 50 in-scope assets. Common accepted vulnerability types include XSS, SQL injection, SSRF, IDOR, authentication bypass, and RCE. Check the program policy for specific exclusions.

Similar Programs on Bugcrowd

eazyBI

Bugcrowd · Bug Bounty · 5 assets

Statuspage

Bugcrowd · Bug Bounty · 2 assets

Comcast Xfinity Bug Bounty

Bugcrowd · Bug Bounty · 4 assets