Report from BugCrowd on March 16rd, 2025
The text below is a summary of the security audit performed by BugCrowd after being retested. See the full report.
Requirement_Yogi_Retest_c_suite_report_16-MAR-2026_v1.0_eb1e438a-2dee-4bc3-a6a0-8290f3f0f1d1.pdf
Introduction
This document reports the security audit results of the Confluence and Jira plugins “Requirement Yogi Cloud”, “Requirement Yogi for Jira Cloud”, Requirement Yogi Standalone application and the Keycloak authentication platform developed by the company Requirement Yogi.
BugCrowd did the audit from January 28th, 2026, through February 16th, 2026..
Risk analysis summary
The main risks which the auditor was asked to focus on were:
-
Data injection,
-
Security Misconfiguration.
During the audit, the auditor has identified 9 vulnerabilities. 1 Critical, 1 Low, and 1 Informational vulnerability were retested and could no longer be reproduced with the reproduction steps. These findings are now remediated.
The remaining vulnerabilities include:
-
0 Critical
-
0 Severe
-
0 Moderate
-
0 Low
-
5 Informational
Risk assessment grades
The following key is used to explain how Bugcrowd rates valid vulnerability submissions and their technical severity. As a trusted advisor Bugcrowd also provides common "next steps" for program owners per severity category.
More detailed information regarding our vulnerability classification can be found at: https://bugcrowd.com/vrt
Conclusion
RISK : LOW
Bugcrowd has rated the risk to the Requirement Yogi's assets as Low
Please note that Atlassian encourages self-managed Penetration Testing by CREST Accredited testing vendors: https://developer.atlassian.com/platform/marketplace/marketplace-penetration-testing-program/#self-managed-penetration-testing