A bug bounty program is one of the most powerful post-production tools you can implement to help detect vulnerabilities in your applications and services. Crowdsourcing vulnerability discovery augments the skills of your team by providing access to a skilled pool of security researchers.
In June 2019, Atlassian and four partners in the Top Vendor Program (Adaptavist, ALM Works, K15t, and Tempo) engaged in a trial bug bounty program. This trial was such an overwhelming success that Atlassian is expanding the program to all Atlassian Marketplace vendor partners.
The Atlassian Marketplace Bug Bounty Program is hosted on Bugcrowd, a SaaS platform built to crowdsource vulnerability discovery from a global pool of talented security researchers.
When you join the Atlassian Marketplace Bug Bounty Program, your program starts as a private program, and Bugcrowd invites researchers to participate.
When security researchers accept the invite to join your program, they are given instructions about what they are and aren’t allowed to test. These instructions are known as the scope of your program. For example, you may want the researchers to test your flagship marketplace applications, but not your main website or one of your newer applications. You also give the researchers instructions on how to set up each of the targets that they’re testing, so that the researchers can start testing quickly.
The security researchers then test your targets for vulnerabilities. When the researcher believes they have detected a vulnerability, they report the finding using the Bugcrowd platform, and include enough detail for others to reproduce the vulnerability.
The Bugcrowd Application Security Engineering (ASE) team then reviews the report. The ASE team ensures that the vulnerability is reproducible, is within the scope of your program, and includes any additional information you have requested.
When the ASE team is confident that the vulnerability report is valid, they flag it as triaged and your team is notified that a potential vulnerability has been discovered. Your team now reviews the report to make sure that you agree with the security researcher and ASE’s assessment that there is a vulnerability that needs fixing.
If your team decides that the vulnerability needs fixing, then you reward the security researcher with a bounty (see below for the recommended bounty amounts). This reward thanks the researcher and compensates them for their hard work and dedication in finding the vulnerability. This is also when you create a ticket for your development team to fix the vulnerability and improve the security of your application.
When the vulnerability is fixed, notify the researcher and they are usually happy to test your fix.
And that’s it. Your application is more secure, the researcher moves on to look for more vulnerabilities, and the circle begins again.
Bug bounty and vulnerability disclosure programs have delivered excellent results in finding vulnerabilities in an extremely cost-efficient way. If you are looking to start or extend your security story, the Atlassian Marketplace Bug Bounty Program is a convenient way to ensure the security of your apps. Whether you want to begin security testing on all of your apps, or with one or two and grow your program later, the Atlassian Marketplace Bug Bounty Program can be tailored to fit your organization’s requirements and use cases.
A bug bounty program also helps increase trust between vendors and customers. From the program, you can generate third-party penetration test reports for your customers. Here at Atlassian, we publish these reports: download the latest copies from our Security practicespage. Bug bounty programs are also a useful addition to compliance and privacy programs.
Along with these benefits, Atlassian plans to highlight apps that are participating in paid bug bounty programs on the Atlassian Marketplace. We want to signal to our customers the apps that reward researchers for reporting vulnerabilities and promote security-conscious apps in the marketplace.
In the six months since we rolled out a beta of this project, the Marketplace Bug Bounty program has helped identify 277 vulnerabilities in 32 marketplace apps. After a preliminary beta, with 4 top Marketplace Partners, we have now opened the program to all Marketplace Partners.
To ensure the success of the Atlassian bug bounty program, which has been running for several years, we created requirements and guidelines that we hold ourselves accountable to. Our experience suggests that adhering to these requirements and guidelines ensures a successful bug bounty program.
So that the Atlassian Marketplace Bug Bounty Program can see a similar level of success and to make it a great place for collaboration with security researchers, the Atlassian Ecosystem Security Team has defined the following requirements and standards you are expected to uphold.
As part of the agreement with Bugcrowd, Atlassian covers all of the platform costs for our vendor partners: you do not have to pay for access to the Bugcrowd platform or the triaging of reported vulnerabilities by the Application Security Engineering team.
You, as the vendor partner, need to cover the costs of the bounty payouts. Below is a table of the minimum payouts required by Atlassian for your bug bounty program. However we can support lower payouts and points-only programs on request. The decision about the severity of a vulnerability and the payout to the researcher is entirely at your discretion.
|Vulnerability severity||Bug bounty reward amount (in USD)|
|P5 (No appreciable security impact)||$0|
One of the most beneficial features of the Atlassian Marketplace Bug Bounty Program is that you only pay for the first report of any valid vulnerability. This feature makes the program one of if not the most cost-efficient vulnerability detection tools available.
If you’re a Vendor Partner in the Atlassian Marketplace, you can request to join the program by raising a ticket at this service desk. T he Atlassian Ecosystem Security Team will work with you to set up your program.
The Atlassian Ecosystem Security Team is also happy to answer any questions or queries you may have about the program via the same service desk. Alternatively, Bugcrowd offers an FAQ.