Rate this page:
A bug bounty program is one of the most powerful post-production tools to help detect vulnerabilities in applications and services. The Marketplace Security Bug Bounty program is a collaboration between Atlassian and Marketplace Partners aiming to continuously improve the security posture Atlassian Marketplace apps by leveraging crowdsourced vulnerability discovery methods available through bug bounty.
If you have one or more publicly listed apps in the Marketplace, you can apply to participate in this program. Participating apps that meet passing criteria will be highlighted on the Marketplace.
The program aims to give partners the tools to facilitate post-production vulnerability discovery in a cost-efficient way. If you are looking to start or extend your security story, the Marketplace Bug Bounty Program is a convenient way to ensure the security of your apps.
While Atlassian provides incentives and guidelines on how to run a successful bug bounty program,
the details of implementation are largely determined by Marketplace Partners. This means that you can control the number
of researchers invited to your program, the bounty payout structure, and the in-scope targets.
Therefore, whether you want to begin security testing on all of your apps, or with one or two and grow your program later, the Marketplace Bug Bounty Program can be tailored to fit your organization’s requirements and use cases.
A bug bounty program helps increase trust between partners and customers. From the program, you can generate third-party penetration test reports for your customers. For reference, please see Atlassian’s published reports on the Security practices page. Bug bounty programs are also a useful addition to compliance and privacy programs.
Beginning in July 2020, Atlassian highlights participating in paid bug bounty programs on the Atlassian Marketplace. We want to signal to our customers the apps that reward researchers for reporting vulnerabilities and promote security-conscious apps in the Marketplace.
All of the below requirements must be met in order for an app to receive the Cloud Security Participant badge.
In order for our automation to properly identify your app, you must ensure that you define your targets according to the following standard format, which is adding the Marketplace listing URL in your target definition:
Your target definition on the Bugcrowd platform should look like this:
Note that this security badge is awarded by hosting type. If your app has multiple hosting types (cloud/DC/server), each will be evaluated independently and may result in a different outcome.
|Requirement||Description||Why is this important?|
|Participation||Eligible apps must participate in the Marketplace Bug Bounty Program. |
Participation means that an app is enrolled in the Marketplace Bug Bounty Program and is explicitly defined as a target in the program scope. Each hosting option of an app is considered a unique target.
When an app is removed from program scope or if submissions are paused, it will no longer qualify for the security badge.
|This requirement ensures that you’ve authorized external researchers to test your apps for vulnerabilities, as well as committed to remediate security flaws in your apps.|
|Exposure||Eligible apps must be in scope of the Marketplace Bug Bounty Program for a minimum of 4 weeks and at least 100 security researchers must have been invited to the program. Note that time an app that participated in the Marketplace Bug Bounty Blitz counts toward this requirement.||This requirement ensures that your app has been exposed to security testing long enough for researchers to discover and report potential issues.|
|Incentives||Eligible apps must commit to the following minimum bounty payout structure: |
P1 → $1500
P2 → $900
P3 → $300
P4 → $100
Apps rewarding lower amounts or points only do not qualify.
|This requirement ensures that you give researchers proper incentives to participate in your program and focus on target apps.|
|Responsiveness||Eligible apps meet Triage SLAs for all incoming submissions. This means that reports must be accepted or rejected within 2 weeks after they have been triaged by Bugcrowd ASE||This requirement ensures that you review reports in a timely fashion and that there is a consistent feedback loop between you and security researchers.|
|Remediation||Eligible apps meet Remediation SLAs for all P1 (critical) and P2 (high) submissions. This means that critical and high severity vulnerabilities are remediated within Atlassian security SLAs. |
How to request SLA extensions for fixing bug bounty submissions
Create an ESSD ticket with request type, “Request an SLA Extension”. Please create one ticket per SLA extension you are requesting. Use this form to request SLA extensions.
An EcoSec team member will reach out to you via the ESSD ticket and review the information you have provided and either approve or deny the request with an explanation.
If the extension request has been approved, the ESSD SLA Extension request ticket will be left open in a “waiting for remediation” workflow state. Your app will still qualify for the security badge. Please let us know once the issue has been remediated so we can close the ticket out.
Please note if an SLA extension request is denied by the EcoSec team it will impact your app’s security badge because the Remediation SLA criteria will fail. However, your app will still be able to qualify for a security badge again after the issue has been resolved.
|This requirement ensures that you are committed to fixing security vulnerabilities and that your remediation policy aligns with Atlassian standards.|
Atlassian has a long history of running a Bug Bounty Program. Through experience, we were able to narrow down a set of best practices that contribute to a successful program. We highly recommend for vendor partners to consider these practices in addition to the trust signal requirements:
Assign a Bug Bounty program owner from your organization. The program owner is the point of contact for Atlassian should we need to get in touch about the bounty program.
Continuously assess the value the program provides. Ask yourself if you are getting the most value out of your program? If you’re not seeing a lot of submissions, consider adding new targets or inviting more researchers to the program.
Develop sound legal policy that protects both the company and the good-faith researcher. Policies like Safe Harbor allow organizations and researchers to set clear legal scope around parameters of testing.
In the first week of every month, Atlassian does an automated check to ensure partners and their apps have either
maintained their eligibility for the security badge or
become newly eligible for the security badge
The apps are then updated based on the results of the automated check. Note, occasionally the automation is delayed due to internal dependencies and may run a few days later than planned. If you think your badge has been updated incorrectly, please raise an Ecosystem Security Service Desk ticket.
The Marketplace Bug Bounty Program is hosted on Bugcrowd, a SaaS platform built to crowdsource vulnerability discovery from a global pool of talented security researchers.
When you join the Marketplace Bug Bounty Program, your program starts as a private program, and Bugrowd invites researchers to participate.
When security researchers accept the invite to join your program, they are given instructions about what they are and aren’t allowed to test. These instructions are known as the scope of your program. For example, you may want the researchers to test your flagship marketplace applications, but not your main website or one of your newer applications. You also give the researchers instructions on how to set up each of the targets that they’re testing, so that the researchers can start testing quickly.
The security researchers then test your targets for vulnerabilities. When the researcher believes they have detected a vulnerability, they report the finding using the Bugcrowd platform, and include enough detail for others to reproduce the vulnerability.
The Bugcrowd Application Security Engineering (ASE) team then reviews the report. The ASE team ensures that the vulnerability is reproducible, is within the scope of your program, and includes any additional information you have requested.
When the ASE team is confident that the vulnerability report is valid, they flag it as triaged and your team is notified that a potential vulnerability has been discovered. Your team now reviews the report to make sure that you agree with the security researcher and ASE’s assessment that there is a vulnerability that needs fixing.
If your team decides that the vulnerability needs fixing, then you reward the security researcher with a bounty (see below for the recommended bounty amounts). This reward thanks the researcher and compensates them for their hard work and dedication in finding the vulnerability. This is also when you create a ticket for your development team to fix the vulnerability and improve the security of your application.
When the vulnerability is fixed, notify the researcher and they are usually happy to test your fix.
And that’s it. Your application is more secure, the researcher moves on to look for more vulnerabilities, and the circle begins again.
As part of the agreement with Bugcrowd, Atlassian covers all of the platform costs for our partners: you do not have to pay for access to the Bugcrowd platform and services.
You, as the partner, need to cover the costs of the bounty payouts. Below is a table of the minimum recommended payout structure for your bug bounty program. It is possible to set up lower payout ranges or points-only reward; however, it is not encouraged if you want to maintain a successful program.
|Vulnerability severity||Bug bounty reward amount (in USD)|
|P5 (No appreciable security impact)||$0|
Please note that you are not locked into the payout range you start out with. Instead, you can increase the payouts over time, as your program matures.
The decision about the severity of a vulnerability and the payout to the researcher is entirely at your discretion. You are not required to pay for duplicate submissions and will generally pay out only for the first report of any valid vulnerability.
If you’re a Marketplace Partner in the Atlassian Marketplace, you can request to join the program by raising a ticket at this service desk. The Ecosystem Security Team will work with you to set up your program.
The Atlassian Ecosystem Security Team is also happy to answer any questions or queries you may have about the program via the same service desk. Alternatively, Bugcrowd offers an FAQ.
Rate this page: