Last updatedJul 22, 2020

Rate this page:

Marketplace Security Bug Bounty Program

A bug bounty program is one of the most powerful post-production tools to help detect vulnerabilities in applications and services. The Marketplace Security Bug Bounty program is a collaboration between Atlassian and Marketplace Partners aiming to continuously improve the security posture Atlassian Marketplace apps by leveraging crowdsourced vulnerability discovery methods available through bug bounty.

If you have one or more publicly listed apps in the Marketplace, you can apply to participate in this program. Participating apps that meet passing criteria will be highlighted on the Marketplace.

Program benefits and objectives

The program aims to give partners the tools to facilitate post-production vulnerability discovery in a cost-efficient way. If you are looking to start or extend your security story, the Marketplace Bug Bounty Program is a convenient way to ensure the security of your apps.

Flexibility

While Atlassian provides incentives and guidelines on how to run a successful bug bounty program, the details of implementation are largely determined by Marketplace Partners. This means that you can control the number of researchers invited to your program, the bounty payout structure, and the in-scope targets.
Therefore, whether you want to begin security testing on all of your apps, or with one or two and grow your program later, the Marketplace Bug Bounty Program can be tailored to fit your organization’s requirements and use cases.

Customer trust

A bug bounty program helps increase trust between partners and customers. From the program, you can generate third-party penetration test reports for your customers. For reference, please see Atlassian’s published reports on the Security practices page. Bug bounty programs are also a useful addition to compliance and privacy programs.

Marketplace Bug Bounty security badge

Beginning in July 2020, Atlassian highlights participating in paid bug bounty programs on the Atlassian Marketplace. We want to signal to our customers the apps that reward researchers for reporting vulnerabilities and promote security-conscious apps in the Marketplace.

**All of the below requirements must be met in order for an app to receive a security badge.

If your app fails to meet any of the requirements after the security badge has already been awarded, we will notify you and give you 30 days to address the issue before the security badge is revoked.**

Note that this security badge is awarded by hosting type. If your app has multiple hosting types (cloud/DC/server), each will be evaluated independently and may result in a different outcome.

If you would like to sign up for the Marketplace Bug Bounty Program, please raise a ticket in this service desk.

RequirementDescriptionWhy is this important?
ParticipationEligible apps must participate in the Marketplace Bug Bounty Program.
Participation means that an app is enrolled in the Marketplace Bug Bounty Program and is explicitly defined as a target in the program scope. Each hosting option of an app is considered a unique target.
When an app is removed from program scope or if submissions are paused, it will no longer qualify for the security badge.
This requirement ensures that you’ve authorized external researchers to test your apps for vulnerabilities, as well as committed to remediate security flaws in your apps.
ExposureEligible apps must be in scope of the Marketplace Bug Bounty Program for a minimum of 4 weeks and at least 100 security researchers must have been invited to the program. Note that time an app that participated in the Marketplace Bug Bounty Blitz counts toward this requirement.This requirement ensures that your app has been exposed to security testing long enough for researchers to discover and report potential issues.
IncentivesEligible apps must commit to the following minimum bounty payout structure:
P1 → $750
P2 → $450
P3 → $150
P4 → $50
Apps rewarding lower amounts or points only do not qualify.
Note: The ranges will be increased to the following amounts from October 1, 2020:
P1 → $1500
P2 → $900
P3 → $300
P4 → $100
This requirement ensures that you give researchers proper incentives to participate in your program and focus on target apps.
ResponsivenessEligible apps meet Triage SLAs for all incoming submissions. This means that reports must be accepted or rejected within 2 weeks after they have been triaged by Bugcrowd ASEThis requirement ensures that you review reports in a timely fashion and that there is a consistent feedback loop between you and security researchers.
RemediationEligible apps meet Remediation SLAs for all P1 (critical) and P2 (high) submissions. This means that critical and high severity vulnerabilities are remediated within Atlassian security SLAs.

How to request SLA extensions for fixing bug bounty submissions
Create an ESSD ticket with request type, “Request an SLA Extension”. Please create one ticket per SLA extension you are requesting. Use this form to request SLA extensions.
An EcoSec team member will reach out to you via the ESSD ticket and review the information you have provided and either approve or deny the request with an explanation. 
If the extension request has been approved, the ESSD SLA Extension request ticket will be left open in a “waiting for remediation” workflow state. Your app will still qualify for the security badge. Please let us know once the issue has been remediated so we can close the ticket out.
Please note if an SLA extension request is denied by the EcoSec team it will impact your app’s security badge because the Remediation SLA criteria will fail. However, your app will still be able to qualify for a security badge again after the issue has been resolved.
This requirement ensures that you are committed to fixing security vulnerabilities and that your remediation policy aligns with Atlassian standards.

Important: In order for your app to receive the Marketplace Bug Bounty security badge, you must make sure that each app in the target scope of your bounty program is the Marketplace listing URL and includes the hosting solution.

Additionally, in order for our automation to properly identify your app, you must ensure that you define your targets according to the following standard format, which is just the Marketplace listing URL:

https://marketplace.atlassian.com/apps/<app_id>/<app_name>?hosting=<hosting_solution>

Your target definition on the Bugcrowd platform should look like this:

Alt text

Additional recommendations

Atlassian has a long history of running a Bug Bounty Program. Through experience, we were able to narrow down a set of best practices that contribute to a successful program. We highly recommend for vendor partners to consider these practices in addition to the trust signal requirements:

  1. Assign a Bug Bounty program owner from your organization. The program owner is the point of contact for Atlassian should we need to get in touch about the bounty program.

  2. Continuously assess the value the program provides. Ask yourself if you are getting the most value out of your program? If you’re not seeing a lot of submissions, consider adding new targets or inviting more researchers to the program.

  3. Develop sound legal policy that protects both the company and the good-faith researcher. Policies like Safe Harbor allow organizations and researchers to set clear legal scope around parameters of testing.

How does the Marketplace Bug Bounty Program work?

The Marketplace Bug Bounty Program is hosted on Bugcrowd, a SaaS platform built to crowdsource vulnerability discovery from a global pool of talented security researchers.

When you join the Marketplace Bug Bounty Program, your program starts as a private program, and Bugrowd invites researchers to participate.

When security researchers accept the invite to join your program, they are given instructions about what they are and aren’t allowed to test. These instructions are known as the scope of your program. For example, you may want the researchers to test your flagship marketplace applications, but not your main website or one of your newer applications. You also give the researchers instructions on how to set up each of the targets that they’re testing, so that the researchers can start testing quickly.

The security researchers then test your targets for vulnerabilities. When the researcher believes they have detected a vulnerability, they report the finding using the Bugcrowd platform, and include enough detail for others to reproduce the vulnerability.

The Bugcrowd Application Security Engineering (ASE) team then reviews the report. The ASE team ensures that the vulnerability is reproducible, is within the scope of your program, and includes any additional information you have requested.

When the ASE team is confident that the vulnerability report is valid, they flag it as triaged and your team is notified that a potential vulnerability has been discovered. Your team now reviews the report to make sure that you agree with the security researcher and ASE’s assessment that there is a vulnerability that needs fixing.

If your team decides that the vulnerability needs fixing, then you reward the security researcher with a bounty (see below for the recommended bounty amounts). This reward thanks the researcher and compensates them for their hard work and dedication in finding the vulnerability. This is also when you create a ticket for your development team to fix the vulnerability and improve the security of your application.

When the vulnerability is fixed, notify the researcher and they are usually happy to test your fix.

And that’s it. Your application is more secure, the researcher moves on to look for more vulnerabilities, and the circle begins again.

Program cost

As part of the agreement with Bugcrowd, Atlassian covers all of the platform costs for our partners: you do not have to pay for access to the Bugcrowd platform and services.

You, as the partner, need to cover the costs of the bounty payouts. Below is a table of the minimum recommended payout structure for your bug bounty program. It is possible to set up lower payout ranges or points-only reward; however, it is not encouraged if you want to maintain a successful program.

Vulnerability severityBug bounty reward amount (in USD)
P1 (Critical)$1,500
P2 (High)$900
P3 (Medium)$300
P4 (Low)$100
P5 (No appreciable security impact)$0

Please note that you are not locked into the payout range you start out with. Instead, you can increase the payouts over time, as your program matures.

The decision about the severity of a vulnerability and the payout to the researcher is entirely at your discretion. You are not required to pay for duplicate submissions and will generally pay out only for the first report of any valid vulnerability.

How do I join the Marketplace Bug Bounty Program?

If you’re a Marketplace Partner in the Atlassian Marketplace, you can request to join the program by raising a ticket at this service desk. The Ecosystem Security Team will work with you to set up your program.

The Atlassian Ecosystem Security Team is also happy to answer any questions or queries you may have about the program via the same service desk. Alternatively, Bugcrowd offers an FAQ.

Rate this page: