Documentation for Confluence 5.4.
Documentation for Confluence OnDemand and earlier versions of Confluence is available too.

Skip to end of metadata
Go to start of metadata

Finding and Reporting a Security Issue

If you find a security issue in the product, open an issue on https://jira.atlassian.com in the relevant project.

  • Set the security level of the bug to 'Reporters and Developers'.
  • Set the priority of the bug to 'Blocker'.
  • Provide as much information on reproducing the bug as possible.

All communication about the security issue should be performed through JIRA, so that Atlassian can keep track of the issue and get a patch out as soon as possible.

If you cannot find the right project to file your issue in, email the details to security@atlassian.com.

 

Icon

When reporting a security vulnerability, please keep in mind the following:

We need a technical description that allows us to assess exploitability and impact of the issue.

  • Provide steps to reproduce the issue, including any URLs or code involved.
  • If you are reporting a cross-site scripting (XSS), your exploit should at least pop up an alert in the browser. It is much better if the XSS exploit shows user's authentication cookie.
  • For a cross-site request forgery (CSRF), use a proper CSRF case when a third party causes the logged in victim to perform an action.
  • For a SQL injection, we want to see the exploit extracting database data, not just producing an error message.
  • HTTP request / response captures or simply packet captures are also very useful to us.

Please refrain from sending us links to non-Atlassian web sites, or reports in PDF / DOC / EXE files. Image files are ok. Make sure the bug is exploitable by someone other than the user himself (e.g. "self-XSS").

Without this information it is not possible to assess your report and it is unlikely to be addressed.

We are not looking for the reports listing generic "best practice" issues such as:

  • Specific cookies being not marked as Secure or HTTPOnly
  • Presence or absence of HTTP headers (X-Frame-Options, HSTS, CSP, nosniff and so on)
  • Clickjacking
  • Mixed HTTP and HTTPS content
  • Auto-complete enabled or disabled
  • SSL-related issues

We are also not looking for reports on the following bug classes:

  • Username enumeration using login or password reset features. While username enumeration can be a vulnerability in web applications, most of Atlassian products and web sites include a number of social features. As a result, usernames can be discovered by design in a number of ways.

Further reading

See Atlassian Support Offerings for more support-related information.