Marketplace Penetration Testing Program

Penetration testing is a critical component of a comprehensive security strategy, providing valuable insight into your app's security through systematic testing and analysis.

The Atlassian Marketplace Penetration Testing Program helps Marketplace Partners get professional security testing for their apps with experienced testers, while streamlining the scoping, vulnerability filing, and tracking process.

Get started with penetration testing for your Marketplace apps. Opt in to our managed Bugcrowd partnership where all you have to do is sign up, and we take care of the whole testing process for you.

Program benefits and objectives

The program aims to provide Marketplace Partners with accessible, high-quality penetration testing services that align with Atlassian Marketplace's security standards and customer expectations.

Professional security validation

Our penetration testing program offers:

Comprehensive test scoping across all Atlassian Cloud app frameworks
Security researchers with experience testing Atlassian cloud applications
Standardized vulnerability tracking in our AMS Jira project to ensure timely remediation

Per-app enrollment: This program requires separate participation for each Marketplace app. Enrolling one app does not cover your other apps or your entire program. You can be selective and choose which apps to test!

Before applying, ensure your app must already be publicly listed on the Atlassian Marketplace.

Proven security benefits

Penetration testing complements other security practices like bug bounties and code reviews by finding different types of vulnerabilities. In our internal testing of Marketplace apps that had minimal bug bounty activity, we discovered:

Critical vulnerabilities that could have led to significant security incidents if left unpatched
Systematic coverage of vulnerability types often missed by other testing methods including XXE, LFI, SSRF, XSS, and SQLi

This demonstrates how penetration testing helps demonstrate security commitment to customers through:

Third-party validation of your security controls and implementation
Professional security reports that can be shared with enterprise customers
Comprehensive coverage that complements existing security practices
Marketplace positioning potential for enhanced visibility of security-validated apps

How does the Marketplace Penetration Testing Program work?

Bugcrowd Paved Path App Penetration Testing (Recommended)

The easiest and most streamlined approach is through our managed Bugcrowd partnership. This program is designed for all Marketplace partners, especially those new to penetration testing or preferring not to manage testing independently. You can opt in as many apps as you'd like in one streamlined form entry.

Apply for the program through the landing page
Automated scoping and coordination - minimal setup required, you can leave that to us
Scope and days of testing are agreed on by Atlassian and partner - Test pricing depends on the number of days required for the test. This can be anywhere from 2-7 days based on the complexity of the app.
Expert security testing by vetted security researchers familiar with Atlassian frameworks
Streamlined reporting with findings automatically integrated into Atlassian's AMS Jira Project
Remediation support and guidance throughout the process, if needed.

Getting started: 👉 Apply for managed penetration testing

No additional scoping is needed. Simply fill out the form, and we handle the rest.

Additional recommendations

For maximum program value, we also recommend:

Regular testing cadence - Annual or bi-annual testing to catch new vulnerabilities
Scope completeness - Include all major app functionality and user privilege levels
Documentation readiness - Maintain current architecture and security documentation
Internal security practices - Complement testing with secure development lifecycle practices

Self-managed Penetration Testing

This option is only recommended for partners with existing security testing contracts/vendors or specific compliance requirements that cannot be met through the managed program.

If you are not able to go through the Bugcrowd paved path then you may choose to engage a CREST Accredited testing vendor:

Requirements for self-managed testing:

You may scope the penetration test using our scoping template
Share the Security Testing Starter Guide with your chosen provider if they are not familiar with the Atlassian marketplace frameworks
Your findings must be remediated within the Atlassian Bug Fix Policy timelines.
You must use a CREST Accredited testing vendor.

To receive program credit for penetration testing conducted with non-Bugcrowd providers, you must submit your results for Atlassian validation. A completed penetration test report or security attestation from your vendor is required to begin the validation process.

Raise an ECOHELP ticket to initiate the penetration test report approval process: Create ECOHELP ticket
Create AMS (Atlassian Marketplace Security) tickets for every vulnerability from the penetration test with a Medium, High, or Critical CVSS 4.0 Severity. Use: Instructions on manually raising AMS tickets.
Label your AMS tickets properly: For each AMS ticket, be sure to fill out the Source (set it to 'Pentest'), Marketplace App Key, and add a label with ECOHELP-XXXXX denoting the key of the ECOHELP ticket that you raised in Step 1 for the penetration test review. This allows us to filter findings from this specific penetration test.