In order to be eligible for a bounty, your submission must be accepted as valid by Asana. We use the following guidelines to determine the validity of requests and the reward compensation offered.
a) Responsible Disclosure
Security of user data and communication is of utmost importance to Asana. In pursuit of the best possible security for our service, we welcome responsible disclosure of any vulnerability you find in Asana. Principles of responsible disclosure include, but are not limited to:
*If you participate in our bug bounty program, regardless of whether or not you file any bugs or any rewards is awarded to you by Asana, and subject to Section III Rewards, below, the first three bullets of section 5.2 of Asana’s Terms of Service (the “Asana AUP”) do not apply to you solely to the extent that you are participating in Asana’s bug bounty program, which means that you adhere to the principles of responsible disclosure set forth above. In the event that you take any of the actions outlined in the first three bullets of the Asana AUP and act in a way that violates any of the principles of responsible disclosure set forth above or otherwise shows malicious intent as determined by Asana, such actions will be deemed a breach of Asana’s Bug Bounty Program and Terms of Service, and Asana may pursue any remedies available to it under applicable law.
b) Reproducibility
Our engineers must be able to reproduce the security flaw from your report. Reports that are too vague or unclear are not eligible for a reward. Reports that include clearly written explanations and working code are more likely to garner rewards.
In order to be eligible for a bounty, your submission must be accepted as valid by Asana. We use the following guidelines to determine the validity of requests and the reward compensation offered.
More severe bugs will be met with greater rewards. We are most interested in vulnerabilities with app.asana.com and asana.com. Other subdomains of asana are generally not eligible for rewards unless the reported vulnerability somehow affects app.asana.com or Asana customer data.
Examples of Qualifying Vulnerabilities
Examples of Non-Qualifying Vulnerabilities
Please email us at security@asana.com with any vulnerability reports or questions about the program.