follow us on twitter . like us on facebook . follow us on instagram . subscribe to our youtube channel . announcements on telegram channel



« previous next »
Pages: [1]

Author Topic: Asana Bug Bounty  (Read 15876 times)

Angelina

  • Moderator
  • Experienced Member
  • *****
  • Posts: 357
    • View Profile
Asana Bug Bounty
« on: April 19, 2023, 05:20:41 pm »
Submit bug report: https://asana.comยท@asana

Policy

Responsible Disclosure
Security of user data and communication is of utmost importance to Asana. In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in Asana. Principles of responsible disclosure include, but are not limited to:
Accessing or exposing only customer data that is your own.
Avoiding scanning techniques that are likely to cause degradation of service to other customers (e.g. by overloading the site).
Keeping within the guidelines of our Terms Of Service.
Keeping details of vulnerabilities secret until Asana has been notified and had a reasonable amount of time to fix the vulnerability.
In order to be eligible for a bounty, your submission must be accepted as valid by Asana. We use the following guidelines to determine the validity of requests and the reward compensation offered.
Reproducibility
Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.
Severity
More severe bugs will be met with greater rewards. We are most interested in vulnerabilities with app.asana.com and asana.com. Other subdomains of asana are generally not eligible for rewards unless the reported vulnerability somehow affects app.asana.com or Asana customer data.
Examples of Qualifying Vulnerabilities
Authentication flaws
Circumvention of our Platform/Privacy permissions model
Clickjacking
Cross-site scripting (XSS)
Cross-site request forgery (CSRF/XSRF)
Mixed-content scripts on app.asana.com
Server-side code execution
Examples of Non-Qualifying Vulnerabilities
Denial of Service vulnerabilities (DOS)
Possibilities to send malicious links to people you know
Security bugs in third-party websites that integrate with Asana
Mixed-content scripts on www.asana.com
Insecure cookies on www.asana.com
Vulnerabilities that require a potential victim to install non-standard software or otherwise take active steps to make themselves be susceptible
Rewards
Only 1 bounty will be awarded per vulnerability.
If we receive multiple reports for the same vulnerability, only the person offering the first clear report will receive a reward.
We maintain flexibility with our reward system, and have no minimum/maximum amount; rewards are based on severity, impact, and report quality. To receive a reward, you must reside in a country not on sanctions lists (e.g., Cuba, Iran, North Korea, Sudan & Syria). This is a discretionary program and Asana reserves the right to cancel the program; the decision whether or not to pay a reward is at our discretion.
Contact
Please email us at security@asana.com with any vulnerability reports or questions about the program.
Policy: https://asana.com/bounty
« Last Edit: April 19, 2023, 06:37:12 pm by Angelina »
Logged
Pages: [1]
« previous next »