Last updatedNov 20, 2019

Atlassian Marketplace security bug bounty program

A bug bounty program is one of the most powerful post-production tools you can implement to help detect vulnerabilities in your applications and services. Crowdsourcing vulnerability discovery augments the skills of your team by providing access to a skilled pool of security researchers.

The Atlassian Marketplace Bug Bounty Program

In June 2019, Atlassian and four partners in the Top Vendor Program (Adaptavist, ALM Works, K15t, and Tempo) engaged in a trial bug bounty program. This trial was such an overwhelming success that Atlassian is expanding the program to all Atlassian Marketplace vendor partners.

How does the Atlassian Marketplace Bug Bounty Program work?

The Atlassian Marketplace Bug Bounty Program is hosted on Bugcrowd, a SaaS platform built to crowdsource vulnerability discovery from a global pool of talented security researchers.

When you join the Atlassian Marketplace Bug Bounty Program, your program starts as a private program, and Bugcrowd invites researchers to participate.

When security researchers accept the invite to join your program, they are given instructions about what they are and aren’t allowed to test. These instructions are known as the scope of your program. For example, you may want the researchers to test your flagship marketplace applications, but not your main website or one of your newer applications. You also give the researchers instructions on how to set up each of the targets that they’re testing, so that the researchers can start testing quickly.

The security researchers then test your targets for vulnerabilities. When the researcher believes they have detected a vulnerability, they report the finding using the Bugcrowd platform, and include enough detail for others to reproduce the vulnerability.

The Bugcrowd Application Security Engineering (ASE) team then reviews the report. The ASE team ensures that the vulnerability is reproducible, is within the scope of your program, and includes any additional information you have requested.

When the ASE team is confident that the vulnerability report is valid, they flag it as triaged and your team is notified that a potential vulnerability has been discovered. Your team now reviews the report to make sure that you agree with the security researcher and ASE’s assessment that there is a vulnerability that needs fixing.

If your team decides that the vulnerability needs fixing, then you reward the security researcher with a bounty (see below for the recommended bounty amounts). This reward thanks the researcher and compensates them for their hard work and dedication in finding the vulnerability. This is also when you create a ticket for your development team to fix the vulnerability and improve the security of your application.

When the vulnerability is fixed, notify the researcher and they are usually happy to test your fix.

And that’s it. Your application is more secure, the researcher moves on to look for more vulnerabilities, and the circle begins again.

What are the benefits of joining the Atlassian Marketplace Bug Bounty Program?

Bug bounty and vulnerability disclosure programs have delivered excellent results in finding vulnerabilities in an extremely cost-efficient way. If you are looking to start or extend your security story, the Atlassian Marketplace Bug Bounty Program is a convenient way to ensure the security of your apps. Whether you want to begin security testing on all of your apps, or with one or two and grow your program later, the Atlassian Marketplace Bug Bounty Program can be tailored to fit your organization’s requirements and use cases.

A bug bounty program also helps increase trust between vendors and customers. From the program, you can generate third-party penetration test reports for your customers. Here at Atlassian, we publish these reports: download the latest copies from our Security practicespage. Bug bounty programs are also a useful addition to compliance and privacy programs.

Along with these benefits, Atlassian plans to highlight apps that are participating in paid bug bounty programs on the Atlassian Marketplace. We want to signal to our customers the apps that reward researchers for reporting vulnerabilities and promote security-conscious apps in the marketplace.

What has the Atlassian Marketplace Bug Bounty Program achieved?

From June to mid-October, the Atlassian Marketplace Bug Bounty Program has seen:

  • 36 vulnerabilities detected by security researchers, consisting of:
    • 3 critical severity vulnerabilities
    • 6 high severity vulnerabilities
    • 20 medium severity vulnerabilities
    • 7 low severity vulnerabilities
  • A total of $15,700 paid to security researchers, an average of $436.11 per vulnerability

What are the guidelines for running your Atlassian Marketplace Bug Bounty Program?

To ensure the success of the Atlassian bug bounty program, which has been running for several years, we created requirements and guidelines that we hold ourselves accountable to. Our experience suggests that adhering to these requirements and guidelines ensures a successful bug bounty program.

So that the Atlassian Marketplace Bug Bounty Program can see a similar level of success and to make it a great place for collaboration with security researchers, the Atlassian Ecosystem Security Team has defined the following requirements and standards you are expected to uphold.

  1. All vulnerability reports from security researchers must be accepted or declined within 2 weeks of being triaged. - This requirement ensures that there is a consistent feedback loop between you and the security researchers. We have found that a short feedback loop and consistent communication with researchers leads to the most successful results for bug bounty programs.
  2. All accepted vulnerabilities must be remediated in line with the Atlassian security SLAs. - This requirement brings the bug bounty in line with the new security requirements for cloud apps. This SLA is one that Atlassian customers have come to expect and leads to an increase in customer trust.
  3. You are responsible for rewarding security researchers for valid vulnerability findings.
    • See “What are the costs associated with joining the Atlassian Marketplace Bug Bounty Program” for more details.
  4. You must assign a Bug Bounty program owner from your organization.
    • The program owner is the point of contact for Atlassian should we need to get in touch about the bounty program.

What are the costs associated with joining the Atlassian Marketplace Bug Bounty Program?

As part of the agreement with Bugcrowd, Atlassian covers all of the platform costs for our vendor partners: you do not have to pay for access to the Bugcrowd platform or the triaging of reported vulnerabilities by the Application Security Engineering team.

You, as the vendor partner, need to cover the costs of the bounty payouts. Below is a table of the minimum payouts required by Atlassian for your bug bounty program. The decision about the severity of a vulnerability and the payout to the researcher, as long as it meets the minimum levels, is entirely at your discretion.

Vulnerability severityBug bounty reward amount (in USD)
P1 (Critical)$1,500
P2 (High)$900
P3 (Medium)$300
P4 (Low)$100
P5 (No appreciable security impact)$0

One of the most beneficial features of the Atlassian Marketplace Bug Bounty Program is that you only pay for the first report of any valid vulnerability. This feature makes the program one of if not the most cost-efficient vulnerability detection tools available.

How do I join the Atlassian Marketplace Bug Bounty Program?

If you’re a Vendor Partner in the Atlassian Marketplace, email a request to join the program to Matt Hart (the program owner) and he will work with you to get your program set up.

Contact Details: Matt Hart, mhart@atlassian.com (Timezone location: Australia)

Matt is also happy to answer any questions or queries you may have about the program. Alternatively, Bugcrowd offers an FAQ.