Finding and Reporting a Security Issue
If you find a security issue in the product, open an issue on https://jira.atlassian.com in the relevant project.
- Set the security level of the bug to 'Reporters and Developers'.
- Set the priority of the bug to 'Blocker'.
- Provide as much information on reproducing the bug as possible.
All communication about the security issue should be performed through JIRA, so that Atlassian can keep track of the issue and get a patch out as soon as possible.
If you cannot find the right project to file your issue in, email the details to security@atlassian.com.
We are not looking for the reports listing generic "best practice" issues such as:
- Specific cookies being not marked as Secure or HTTPOnly
- Presence or absence of HTTP headers (X-Frame-Options, HSTS, CSP, nosniff and so on)
- Clickjacking
- Mixed HTTP and HTTPS content
- Auto-complete enabled or disabled
- SSL-related issues
We are also not looking for reports on the following bug classes:
- Username enumeration using login or password reset features. While username enumeration can be a vulnerability in web applications, most of Atlassian products and web sites include a number of social features. As a result, usernames can be discovered by design in a number of ways.
Further reading
See Atlassian Support Offerings for more support-related information.