Vulnerability Disclosure Program (VDP)
VDPs are meant for responsibly reporting vulnerabilities you encounter — not for actively hunting for fame or reputation. Even if you're just starting out, consider focusing on rewarded bug bounty programs instead.
asana
10
In Scope
6
Out of Scope
In-Scope Assets (10)
| Asset | Category | Bounty | Quick Links | |
|---|---|---|---|---|
| *.app.asana.com | URL | No | ||
| Subdomain takeover at *asana.biz | OTHER | No | - | |
| https://*.asana.biz | OTHER | No | - | |
| https://app.asana.com | URL | No | ||
| https://apps.apple.com/us/app/asana-mobile/id489969512 | IOS | No | - | |
| https://asana.com | URL | No | ||
| https://asana.com/apps?category=made-by-asana | URL | No | ||
| https://asana.com/download | OTHER | No | - | |
| https://form.asana.com | URL | No | ||
| https://play.google.com/store/apps/details?id=com.asana.app&hl=en | ANDROID | No |
Out-of-Scope Assets (6)
| Asset | Category | Bounty | |
|---|---|---|---|
| Forms that you do not own | OTHER | No | |
| Other subdomains of asana.com | URL | No | |
| Social engineering against Asana Support or Asana Employees | OTHER | No | |
| asana.okta.com | URL | No | |
| assets.asana.biz | URL | No | |
| jira*.integrations.asana.plus | URL | No |