Skip to main content

Vulnerability Disclosure Policy

1. Purpose

This document outlines our vulnerability disclosure policy to ensure security researchers and users can responsibly report security vulnerabilities found in our Confluence Cloud apps. Our goal is to protect customer data and maintain the integrity of our applications.

2. Scope

This policy applies to all security vulnerabilities that affect our Confluence Cloud applications, services, and infrastructure.

3. Reporting a Vulnerability

3.1 Guidelines for Reporters

When submitting a vulnerability report, please provide the following details:

  • A clear and concise description of the vulnerability.

  • Steps to reproduce the issue, including proof-of-concept code if applicable.

  • The potential security impact.

  • Any suggestions for mitigation.

3.2 Reporting Channels

Vulnerabilities should be reported through the following channels:

We encourage responsible disclosure and request that researchers allow us a reasonable time to address the issue before publicly disclosing any details.

4. Acknowledgment and Response Process

Upon receiving a vulnerability report, we will:

  1. Acknowledge receipt of the report within 48 hours.

  2. Assess the severity and impact of the reported issue.

  3. Communicate expected timelines for resolution.

  4. Work closely with the researcher to validate and mitigate the issue.

  5. Notify affected customers if necessary.

  6. Provide recognition to responsible disclosures if permitted by the researcher.

5. Safe Harbor

We commit to working with security researchers in good faith. If vulnerabilities are reported responsibly:

  • We will not pursue legal action.

  • We will collaborate to resolve the issue promptly.

  • We will publicly acknowledge the researcher's contribution if they desire.

6. Exclusions

While we welcome vulnerability reports, the following activities are strictly prohibited:

  • Exploiting vulnerabilities beyond proof-of-concept testing.

  • Accessing, modifying, or deleting any customer data.

  • Conducting denial-of-service attacks.

  • Social engineering, phishing, or physical attacks.

7. Continuous Improvement

We continuously update our security practices based on disclosed vulnerabilities and encourage responsible reporting to improve our applications.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close