Security of user data and communication is of utmost importance to Asana. In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in Asana. Principles of responsible disclosure include, but are not limited to:
In order to be eligible for a bounty, your submission must be accepted as valid by Asana. We use the following guidelines to determine the validity of requests and the reward compensation offered.
Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.
More severe bugs will be met with greater rewards. We are most interested in vulnerabilities with app.asana.com and asana.com. Other subdomains of asana are generally not eligible for rewards unless the reported vulnerability somehow affects app.asana.com or Asana customer data.
To receive a reward, you must reside in a country not on sanctions lists (e.g., Cuba, Iran, North Korea, Sudan & Syria). This is a discretionary program and Asana reserves the right to cancel the program; the decision whether or not to pay a reward is at our discretion.
Please email us at firstname.lastname@example.org with any vulnerability reports or questions about the program.
Try Asana Premium for free
Teams report that Asana Premium increases their team’s efficiency by 45%. Try it free for 30 days to get access to more powerful features that help you hit your goals.Try for free