Last Updated :View changes

  • Vulnerabilities rewarded 182
  • Validation within 10 days 75% of submissions are accepted or rejected within 10 days
  • Average payout $205 last 3 months

No technology is perfect and Asana believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We are excited for you to participate as a security researcher in order to identify weaknesses. If you believe you've found a security issue, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Ratings/Rewards:

For the initial prioritization/rating of findings, this program will use the Bugcrowd Vulnerability Rating Taxonomy. However, it is important to note that in some cases a vulnerability priority will be modified due to its likelihood or impact. In any instance where an issue is downgraded, a full, detailed explanation will be provided to the researcher - along with the opportunity to appeal, and make a case for a higher priority.

Likelihood = How likely this particular vulnerability is to be uncovered and exploited by an attacker?
Impact = Technical impact + Business impact. The first is the “technical impact” on the application, the data it uses, and the functions it provides. The other is the “business impact” on the business and company operating the application. See OWASP methodology for risk rating as a reference.

Asana uses a nonce based CSP policy. If you discover an XSS vulnerability that you cannot exploit due to the CSP policy, but would at least be a P4 without the CSP policy present, we will reward that vulnerability as if it was a P4.

Please also include the following information in your submission (if applicable):

Domain Type (organization/workspace)
Domain ID(s) used
Domain Tier (free/premium/business/enterprise)
Attacker membership level(s)
Victim membership level(s)
Security Impact
Emails of accounts used for testing

Special note on prompt injection

We will consider submissions of this type if you can manipulate AI to have a measurable security impact to Asana, not just manipulating the AI model.

Targets
Target RatingTarget RatingTarget RatingTarget Rating4 out of 4

Bugcrowd calculates scope ratings based on the depth and breadth of in-scope targets.
  • Asana Targets

    In scope
    Payment reward chart
    P1
    $2500 – $6500
    P2
    $1000 – $2500
    P3
    $500 – $1000
    P4
    $100 – $500

    The applications that access *.asana.plus can be found on the following page. Please note that only the apps made by Asana would be in scope.

    Name / LocationTagsKnown issues
    app.asana.com
    • nginx
    • ReactJS
    • Website Testing
    asana.com
    • ReactJS
    • jQuery
    • Website Testing
    *.asana.plus
    *.asana.biz
    Asana Desktop App
    • Desktop Application Testing
    Asana iOS app
    • iOS
    Asana Android app
    • Android
    form.asana.com
    • Website Testing
    *.app.asana.com
    • Website Testing
  • Out of Scope

    Out of scope
    Name / LocationTagsKnown issues
    Other subdomains of asana.com
    Social engineering against Asana Support or Asana Employees
    jira*.integrations.asana.plus
    asana.okta.com
    assets.asana.biz
    Forms that you do not own

Target Information:

Asana helps teams organize and manage all their work in the form of different projects. Please refer to the credentials section to understand how to sign up and go through the onboarding workflow to create one such project/workspace.

Permissions overview
https://help.asana.com/hc/en-us/articles/17826920767259-Permissions-overview
Help articles
https://help.asana.com/hc/en-us/sections/14005484724635-Permissions
https://help.asana.com/hc/en-us
Developer Documentation
https://developers.asana.com/docs
API Documentation
https://developers.asana.com/docs
https://developers.asana.com/docs/app-components
Asana Academy
https://academy.asana.com/
Other helpful resources
https://help.asana.com/hc/en-us/articles/14075208738587-Premium-Business-and-Enterprise-authentication
https://help.asana.com/hc/en-us/articles/14139896860955-Privacy-and-security
https://asana.com/features/admin-security/admin-console
https://asana.com/product/ai
https://help.asana.com/s/article/ai-studio

Credentials:

Please self sign up for a free account using your @bugcrowdninja.com email address at https://asana.com/create-account. This process will automatically get you a free 30 day trial of Asana's Premium/Business accounts, without needing to input your credit card information.
If you would like to continue using a premium account for testing after the trial ends, please create a new account using username+1@bugcrowdninja.com, etc.

Out of Scope (PLEASE READ)


  • assets.asana.biz
  • Any testing involving making repetitive network requests. This includes testing for denial of service attacks and testing to see if rate limits are properly in place.
  • Submitting any form on form.asana.com or form-beta.asana.biz that you did not create yourself. This includes submitting any customer survey hosted on those domains.
  • Any Jira instance hosted on a subdomain of integrations.asana.plus. For example, jira-prod.integrations.asana.plus would be out of scope but foo.integrations.asana.plus would be in scope.
  • If you find credentials, including but not limited to Asana logins, Okta logins, etc please report them but DO NOT attempt to log in. We will validate on our end.
  • Submissions only containing leaked passwords, access tokens, etc will be accepted and rewarded with points only.
  • Submissions only containing leaked documents, files etc will be accepted and rewarded with points only.
  • Submissions only containing only broken links, or links pointing to unowned domains in documentation or static asana websites with no further impact will be accepted and rewarded with points only.
  • HTTP 404 codes/pages or other HTTP non-200 codes/pages.
  • Fingerprinting / banner disclosure on common/public services.
  • Disclosure of known public files or directories, (e.g. robots.txt).
  • Clickjacking and issues only exploitable through clickjacking.
  • Security best practices without evidence of security impact or exploitation
  • Weak login/signup without evidence of security impact or exploitation
  • Weak password policy without demonstrated impact or exploitation
  • Cookie issues without evidence of security impact or exploitation
  • Lack of Secure/HTTPOnly flags on non-sensitive Cookies.
  • Missing HTTP security headers, specifically https://www.owasp.org/index.php/List_of_useful_HTTP_headers
  • Publicly-known zero-day vulnerabilities will not be considered for eligibility until more than 30 days have passed since patch availability
  • Descriptive error messages (e.g. Stack Traces, application or server errors).
  • EXIF data not being stripped from files or attatchments.
  • Attacks that aim to destroy or corrupt data not belonging to you.
  • Intentional access to data or information not belonging to you beyond the minimum necessary to demonstrate the vulnerability.
  • Do not access or manipulate data outside of domains that you control (including but not limited to customer data).

Focus Areas:

Testing is only authorized on the targets listed as In-Scope. Any domain/property of Asana not listed in the targets section is out of scope. This includes any/all subdomains not listed above. If you happen to identify a security vulnerability on a target that is not in-scope, but that demonstrably belongs to Asana, it may be reported to this program, and is appreciated - but will ultimately be marked as ‘not applicable’ and will not be eligible for monetary or points-based compensation.


Safe Harbor:

When conducting vulnerability research according to this policy, we consider this research to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) (and/or similar state laws), and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
  • Exempt from the Digital Millennium Copyright Act (DMCA), and we will not bring a claim against you for circumvention of technology controls;
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy; and
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith.
  • You are expected, as always, to comply with all applicable laws.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please inquire via support@bugcrowd.com before going any further.

  • Jill’s avatarBugcrowd logo

    Jill announced New Targets added!

    • ()

    Hello Researchers!!

    We hope your testing is going well. Here is an update that should make things a bit more interesting!

    We have added some new In-Scope targets to our program! As always, please see the program brief for the full details around testing.

    Get out there and lay claim to those bugs!

  • y3t1’s avatar

    y3t1 announced 2x Bonus Opportunity for Asana's Bug Bounty Program!

    • ()

    Asana is happy to announce another bonus earning opportunity!

    Starting now, October 2, 2023 and going until November 2, 2023 23:59 PT, Asana is running a 2x bonus opportunity for vulnerabilities found in our Google Workspace add-ons.

    Google Workspace add-ons are applications that integrate directly with the Google Workspace suite. You can learn more about them here.

    Asana has two add-ons - one allows you to create tasks directly from Gmail, and the other turns Asana links into Smart Chips in Google Docs. Learn more about Smart Chips here

    How to access this feature

    You can install both Asana add-ons by going here.

    How to use this feature

    Smart Chips
    Install the add-on by going here. Then, add a link to an Asana task in any Google Doc. You will be prompted to add the Smart Chip functionality.

    Gmail
    View the documentation here.

    We are unsure of the risk surface here and are open to all vulnerability classes (within the usual scope). Remember, please do not use repetitive network requests and refrain from testing any other Google surface areas, as these are outside the scope of this program. Refer to Google's bug bounty program if you are interested in testing their services.

    Bonus Reward Details

    Priority/Bonus Qualifications Bonus Reward
    P1-P3 on Asana's Google Workspace add-ons 2x current bounty range (i.e. current range for P3 is $850 – $1000. With bonus, range is $1700 - $2000)
  • y3t1’s avatar

    y3t1 announced 100% Bonus for Vulns in New Mobile App Feature

    • ()

    We have another bonus opportunity for you all!

    Starting today, May 4, 2023 and going until June 4, 2023, Asana is launching a bonus opportunity for vulnerabilities found in our new feature multiple account support on mobile.

    In brief, multi-account support allows you to sign into multiple Asana accounts on the Asana mobile app (both iOS and Android).

    How to access this feature
    This feature is not yet in production, so you will need to download the Asana beta app for iOS and/or Android.
    To get the iOS app, please visit go.asana.com/ios-beta
    To get the Android app, please visit go.asana.com/android-beta

    How to use this feature
    User will first need to be logged in with an account. Then, can add a new account by navigating to the Account tab and tapping on their avatar. This will open a menu with options to sign into additional accounts. Once the sign-in flow has been completed, you can toggle between the accounts using the same menu or by double tapping (Android) or long pressing (iOS) the account tab to pull up the quick switcher.

    We are unsure of the risk surface here and are open to all vulnerability classes (within the usual scope) in both the iOS and Android apps.

    Bonus Reward Details

    Priority/Bonus Qualifications Bonus Reward
    P1-P3 on multi-account support on mobile 2x current bounty range (i.e. current range for P3 is $850 – $1000. With bonus, range is $1700 - $2000)
  • Submission accepted on target: asana.com

    Accepted on 13 Feb 2025
  • Submission accepted on target: app.asana.com

    • By Private user
    • Engagement Asana
    • Reward $500
    • Priority P3
    Accepted on 13 Feb 2025
  • Submission accepted on target: *.app.asana.com

    • By Private user
    • Engagement Asana
    • Priority P4
    Accepted on 13 Feb 2025

Crowd highlights

  • Latest hall of famers

  • Recently joined this engagement

    • Ali-kabeel's avatar
    • todayisnew's avatar
    • Krishnaverma's avatar
    • whitehattushu's avatar
    • jensvoid's avatar
    • g0ktug's avatar
    • daniel_v's avatar
    • Private user's avatar
    • godiego's avatar
    • Private user's avatar
    149 total

Things to know

  • Testing problems
    For any testing issues (such as broken credentials, inaccessible application, or Bugcrowd Ninja email problems), please visit Bugcrowd Support and create a support ticket. We will address your issue as soon as possible.
  • Engagement rules
    This engagement follows Bugcrowd’s standard disclosure terms.
  • Disclosure
    This engagement does not allow disclosure. You may not release information about vulnerabilities found in this engagement to the public.