Action Required: All Atlassian Marketplace bug bounty programs must be public by June 30th, 2026, and should be in Progress by March 1st, 2026. Programs that haven't started the public transition process could be paused and deactivated. Start your transition now through ECOHELP.
To strengthen security and foster a collaborative environment, Atlassian will be requiring all Marketplace bug bounty programs to be public. Public programs offer greater accessibility for security researchers, streamline vulnerability reporting, and help ensure programs remain active and effective over time.
Opening your bug bounty program to the public delivers several key benefits:
Transitioning to a public program is free of charge and offers immediate benefits for your security posture.
Expanded Researcher Pool
Your program will attract a diverse range of security researchers, increasing the likelihood of uncovering critical vulnerabilities.
Increased Visibility
Public programs are listed on bugcrowd.com/engagements, a central hub for researchers seeking new challenges.
Diverse Skill Levels
Engage with researchers of varying experience. Bugcrowd's triage team supports newer participants to maintain submission quality.
Managed Submission Flow
Bugcrowd limits public launches to three per week, allowing triage teams to effectively manage incoming reports.
Enhanced Security Reputation
Public participation demonstrates a strong commitment to security, building trust with customers and the community.
Plan ahead for these common challenges to ensure a smooth transition to public.
| Challenge | Impact | Mitigation Strategy |
|---|---|---|
| Submission Overload | Teams may be overwhelmed by report volume | Prepare a contingency plan and ensure robust triage processes are in place |
Before making your bug bounty program public, ensure the following requirements are met:
| Requirement | Description | Why is this important? |
|---|---|---|
| Gradual Researcher Onboarding | Have 250 Researchers Minimum for at least 2 weeks | Prevents overwhelming your triage process with sudden volume spikes |
| Funding | Maintain at least $5,000 in your program account | Ensures you can promptly reward researchers for valid submissions |
| Vulnerability Queue | No more than three P1 (critical) vulnerabilities should be outstanding | Demonstrates your ability to handle critical security issues promptly |
| Consider Increasing Rewards (Suggestion) | At your discretion, you can increase rewards to improve incentives for researchers | Demonstrates your program maturity |
| Queue Hygiene | Ensure there are no overdue items or policy violations in your queue | Shows program maturity and operational readiness |
| Accurate Scope and Targets | Review and confirm that all program scope and targets are up to date | Prevents confusion and misdirected research efforts |
| Robust Review Process | Internal team must have a scalable process for handling increased volume | Critical for managing the initial weeks post-launch effectively |
The internal team responsible for triage must have a scalable process in place to handle increased submission volume, especially during the initial weeks post-launch.
Ready to go public? Start by raising an ECOHELP ticket and we'll create a customized transition plan for your program.
1. Initial Request
Raise a ticket in the ECOHELP queue and Bugcrowd will work with you on a specific plan of how to get your program public facing.
2. Customized Timeline
Timelines and plans to get to public will vary based on how your program has performed in the past and how much ramp up may be required to get that program to public in a non-overwhelming way.
3. Scheduled Launch
Deadline for compliance: All Atlassian Marketplace bug bounty programs must be public by June 30th, 2026, and should be in Progress by March 1st, 2026. Programs that haven't started the public transition process could be paused and deactivated.
No exceptions policy:
Unfortunately there are no exceptions and all Atlassian managed marketplace bug bounty programs must be public or actively working toward transitioning to a public program.
What this means for your program:
Your program must be Public or you must have raised an ECOHELP ticket to start the transition process.
Enforcement actions:
If you are not in the process of going public by the compliance deadline, Atlassian is entitled to pause and deactivate your bug bounty program.
Once the program is made public, you will not be able to transition it back to private again.
For questions about transitioning your bug bounty program to public:
Rate this page: