Use this template when engaging a CREST accredited penetration testing provider. Complete all sections to ensure your penetration test aligns with Atlassian's security requirements and provides comprehensive coverage of your Marketplace app.
For app developers using the Atlassian & Bugcrowd managed service, this scoping is handled automatically - see our How To: Get Your App(s) Penetration Tested guide.
| SCOPING AREA | QUESTION & RESPONSE |
|---|---|
| Contact Information | Best point(s) of contact for technical information about the product? What is the best way to contact them? |
| Timing and Scheduling | Do you have any timing requests for when we shouldn't do the pentest? Eg) any off limit date ranges? |
| Technical Details | |
| What framework does this app utilize? Forge or Connect? | |
| Application Overview | Please provide: • High-level summary of app's purpose and core functions • User guides, API documentation, or other helpful resources • App features and expected workflows • Public-facing URLs (if applicable) • Level of data the app processes or stores • AI functionality description (if applicable) |
| External Integrations | Any custom web triggers, outgoing webhook URLs, or external integrations to consider. |
| List of external domains the app interacts with. | |
| Security History | Has a security review/penetration test been performed before? Provide a link, or embed, the most recent documents if possible. |
| Previous findings for this App: | |
| If the product has been security tested before, what major changes/features have been developed since then? | |
| If the product hasn't been tested before, what do you think a hacker would be interested in doing if they hacked this application? | |
| Risk Assessment | Are there particular areas you think are risky, or that you think could benefit from deep-diving during the security test? |
| Technical Access and Testing | If you have a list of the application routes, please provide it. |
| Are there multiple user privilege levels, roles, or paywall levels, that the application should be security assessed from? | |
| If so, detail what difference in functionality exists between these levels? | |
| How can we get a non-prod environment for testing, debugging, and access to logs from the aforementioned user levels? | |
| Are there any access pre-requisites or restrictions? | |
| Additional Notes | Any further notes? |
Use this text version to create your own fillable scoping document.
How to use: Click in the text box below, select all (Ctrl+A), copy, and paste into your preferred application.
1 2=============================================================================== PENETRATION TEST SCOPING TEMPLATE =============================================================================== ** CONTACT INFORMATION ** 1. Best point(s) of contact for technical information about the product? Name: [ENTER NAME HERE] Role: [ENTER ROLE HERE] 2. What is the best way to contact them? Email: [ENTER EMAIL HERE] Phone: [ENTER PHONE HERE] Preferred method: [EMAIL/PHONE/SLACK/OTHER] ** TIMING AND SCHEDULING ** 3. Do you have any timing requests for when we shouldn't do the pentest? Off-limit date ranges: [ENTER DATES OR "NONE"] 4. Is there a specific date you would like the testing completed by? Target completion date: [ENTER DATE OR "FLEXIBLE"] Hard deadline (if any): [ENTER DATE OR "NONE"] ** TECHNICAL DETAILS ** 5. What framework does this app utilize? [DELETE OTHERS: Forge / Connect / Connect on Forge] Additional details: [ENTER FRAMEWORK DETAILS OR "NONE"] ** APPLICATION OVERVIEW ** 6. Please provide: • High-level summary of app's purpose and core functions: [DESCRIBE YOUR APP'S MAIN PURPOSE AND KEY FEATURES] • User guides, API documentation, or other helpful resources: [PROVIDE LINKS TO DOCUMENTATION OR "NOT AVAILABLE"] • App features and expected workflows: [DESCRIBE HOW USERS INTERACT WITH YOUR APP] • Public-facing URLs (if applicable): [ENTER URLS OR "NOT APPLICABLE"] • Level of data the app processes or stores: [DESCRIBE DATA TYPES AND SENSITIVITY LEVEL] • AI functionality description (if applicable): [DESCRIBE AI FEATURES OR "NO AI FUNCTIONALITY"] ** EXTERNAL INTEGRATIONS ** 7. Any custom web triggers, outgoing webhook URLs, or external integrations? [DESCRIBE INTEGRATIONS OR "NONE"] 8. List of external domains the app interacts with: [LIST EXTERNAL DOMAINS OR "NONE"] ** SECURITY HISTORY ** 9. Has a security review/penetration test been performed before? [DELETE ONE: YES / NO] If yes, when: [ENTER DATE OR "NOT APPLICABLE"] 10. Provide a link or embed the most recent documents if possible: [ENTER LINK OR "NOT AVAILABLE"] 11. Previous findings for this App: [DESCRIBE PREVIOUS FINDINGS OR "NOT APPLICABLE"] 12. If previously tested, what major changes/features developed since then? [DESCRIBE CHANGES OR "NOT APPLICABLE"] 13. If not previously tested, what would a hacker be interested in targeting? [DESCRIBE POTENTIAL TARGETS OR "NOT APPLICABLE"] ** RISK ASSESSMENT ** 14. Are there particular areas you think are risky or need deep-diving? [DESCRIBE RISKY AREAS OR "NO SPECIFIC CONCERNS"] ** TECHNICAL ACCESS AND TESTING ** 15. Application routes list (or link to code mappings): [PROVIDE ROUTES LIST OR "WILL BE PROVIDED SEPARATELY"] 16. Are there multiple user privilege levels, roles, or paywall levels? [DELETE ONE: YES / NO] If yes, detail functionality differences between levels: [DESCRIBE DIFFERENT ACCESS LEVELS OR "NOT APPLICABLE"] 17. How can we get a non-prod environment for testing and log access? [DESCRIBE ACCESS PROCESS] 18. Are there any access prerequisites or restrictions? [DESCRIBE RESTRICTIONS OR "NONE"] ** ADDITIONAL NOTES ** 19. Any further notes or special considerations? [ENTER ADDITIONAL NOTES OR "NONE"] =============================================================================== Template completed by: [ENTER YOUR NAME] Date: [ENTER DATE] ===============================================================================
To help your penetration testing provider understand Atlassian frameworks and common vulnerability patterns, share these resources:
For questions about this template or the penetration testing process, see our Marketplace Penetration Testing Program guide.
Rate this page: