JXL bug bounty

Fine Software

  • $100 – $1,500 per vulnerability
  • Safe harbor
Submit report

Program stats

  • Vulnerabilities rewarded 2

Known issues

Counts of P1 P4 vulnerabilities

  • Includes imported issues tracked outside of Bugcrowd.
  • Excludes Out of scope vulnerabilities.
  • Unique 0 Includes issues in Triaged, Unresolved, and Informational states
  • Total 0 Includes Duplicate of unique known issues

This is a private program

Congratulations! Only a select few have been invited to participate in this program. Please refrain from sharing information about this program or your submissions.

This bounty is part of the Atlassian Marketplace Bounty Program

Sydney, Australia-based Fine Software Pty Ltd was founded in 2020. Fine Software's passion is to craft beautiful software that really helps people get their job done. The company’s main product is JXL, an all-in-one issue editor and organizer app for Jira.

Get Started (tl;dr version)

  • Do not access, impact, destroy or otherwise negatively impact Fine Software Pty Ltd or Atlassian customers, or customer data in anyway.
  • Ensure that you use your @bugcrowdninja.com email address.
  • Ensure you understand the targets, scopes, exclusions, and rules below.
  • Please note that the application listed in the target is in scope. The URL (the marketplace page) itself is NOT.

Quick Links

Note: If the same vulnerability exists in different hosting solutions of a single app, we may pay for this vulnerability once if the codebase and the fix is the same. We reserve the right to make this decision on a case-by-case basis.

Additionally, there are apps that have distinct listings but share the same codebase. In such case we will only pay once across these apps, unless an environmentally unique vulnerability is discovered.

Focus Areas

Below is a list of some of the vulnerability classes that we are seeking reports for:

  • Cross Instance Data Leakage/Access**
  • Server-side Remote Code Execution (RCE)
  • Server-Side Request Forgery (SSRF)
  • Stored/Reflected Cross-site Scripting (XSS)
  • Cross-site Request Forgery (CSRF)
  • SQL Injection (SQLi)
  • XML External Entity Attacks (XXE)
  • Access Control Vulnerabilities (Insecure Direct Object Reference issues, etc)
  • Path/Directory Traversal Issues

Ensure you review the out-of-scope and exclusions list for further details.

** Cross Instance Data Leakage/Access refers to unauthorized data access between instances.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. Fine Software Pty Ltd uses CVSS to consistently score security vulnerabilities. Where discrepancies between the VRT and CVSS score exist, Fine Software Pty Ltd will defer to the CVSS score to determine the priority. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal and make a case for a higher priority.

Scope and rewards

Program rules

This program follows Bugcrowd’s standard disclosure terms.

For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please submit through the Bugcrowd Support Portal. We will address your issue as soon as possible.

This program does not offer financial or point-based rewards for P5 — Informational findings. Learn more about Bugcrowd’s VRT.