In this article, I'll explain how I reported a P5 Informational Jira misconfiguration, why it was initially marked Not Applicable, and how it still resulted in a $500 bounty.
π The Finding: Public Access to Jira Filters & Dashboards
While testing the XYZ.com environment, I discovered that certain Jira dashboard and filter pages were accessible without authentication.
Vulnerable Endpoint
https://XYZ.atlassian.net/secure/ConfigurePortalPages!default.jspa?view=popular hese endpoints allowed unauthenticated users to view:
- Jira filter names
- Jira dashboard names
- Internal project/backlog references
- Internal tickets
β οΈ Why This Is a Security Risk
At first glance, this may look harmless. But in real-world organizations:
- Filter names often include:
- Internal project codenames
- Feature names
- Incident references
- Security or infrastructure hints
2. Dashboards can expose:
- Development priorities
- Ongoing internal work
- Organizational structure
3. Even metadata leakage helps attackers with:
- Reconnaissance
- Targeted phishing
- Attack planning
- Social engineering
β Internal information should never be publicly accessible, even if it does not expose direct data.
π οΈ Root Cause
This issue occurred due to:
- Incorrect Jira permission configuration
- Filters and dashboards marked as publicly shared
- Default Jira behavior not being restricted properly Permission
π§ΎThe report was initially marked Not Applicable:
"We were unable to identify an immediate security impact."
This is common for informational findings, especially when no direct exploitation is shown.
π Final Outcome: $500 Reward
Despite the NA status, the XYZ security team reviewed the report independently and decided to award a $500 goodwill bounty:
"Though the triager was correct, we appreciate the information about the Jira misconfiguration and will award a token sum of $500."
β Severity updated to P5 β Reward issued β Report acknowledged
π Final Thoughts
This experience reinforced one important lesson:
Bug bounty is not just about breaking things β it's about improving security posture.
If you're hunting bugs, don't ignore misconfigurations. Sometimes, they pay β literally.
if you want to colab in bugs or need help you can directly msg me on :
Follow me on Instagram-swarup_9696 Follow me on X- SWAROOP9696