Starting Sept 1st, 2021 Atlassian is taking Vulnerability Disclosure Program(VDP bounty program) public on Bugcrowd and it can be accessed here. Additionally, you can explore all public bug bounty programs from Atlassian here.

Vulnerability Disclosure Program (VDP)

The Vulnerability Disclosure Program(VDP) for all third party Marketplace cloud apps provides a framework for Atlassian to securely accept and triage vulnerabilities submitted by Atlassian customers and security researchers, and then report those vulnerabilities to partners to remediate. VDP program aims to serve as a passive channel to report security vulnerabilities on any third party app in the Marketplace to Atlassian.

How is this different from the Marketplace Bug Bounty Program?

The purpose of VDP program is to provide a central channel for external researchers to report security issues and vulnerabilities identified in the Atlassian Marketplace, provide clear directives with respect to vulnerability intake process and also extend the customers trust in Atlassian Ecosystem. This program will be fully funded, owned, and run by Atlassian. All public third party Marketplace Cloud apps will be in scope by default. We plan to start the program with no monetary rewards but this may change as the program matures. The findings we receive from researchers will be reported to the appropriate partners. This will not change our approach to Marketplace Bug Bounty Program which will continue to run as-is. Partners are still encouraged to sign up for the Marketplace Bug Bounty Program because it will allow you to run your own bounty programs with appropriate rewards and scope to attract security researchers to find bugs and qualifying apps can receive Security Trust signals and Cloud Security Participant Badge in the Atlassian Marketplace.

Below table lists out additional differences between the two programs.

Program Benefits	Marketplace Bug Bounty Program	Marketplace Vulnerability Disclosure Program
Cloud Security Participant Badge	Satisfies one of the badge requirements.	Does not satisfy any badge requirements.
Personalized Program	Partners can personalize their programs to fit in with their environment.	VDP is run and maintained by Atlassian, partners cannot make personalizations.
Scope	Partner defined scopes.	All public Marketplace Cloud apps.
Rewards Structure	Partner defined rewards, partners can set higher rewards to encourage more researchers.	No rewards (this may change as program matures).
Reports Tracking	Bugcrowd Platform and AMS Jira project.	AMS Jira project only. Partners do not have access to VDP program.

Program Overview

VDP program is hosted on Bugcrowd platform and run by the Atlassian Ecosystem security team. The program is launched with all third party Cloud apps on marketplace in scope, and with no monetary rewards or points. As the program matures, we plan to include DC apps in scope, and may also provide monetary rewards for critical submissions.

How does the program work?

When a customer or security researcher discovers a vulnerability on an app and reports it through VDP, the Bugcrowd Application Security Engineering (ASE) team reviews the report for its validity and rejects any report if it is not reproducible or out of scope. The ASE team then passes on triaged reports to Atlassian.

Atlassian reviews the submission based on severity and forwards it to the respective partner using our vulnerability tracking Jira project called Atlassian Marketplace Security (AMS). Our automation creates a ticket in AMS Jira project for each submission and appropriate partner contacts are added to the ticket. Learn more about AMS Jira project here.

Once a partner is assigned to an issue in AMS, an automated Jira email notification is sent to notify partners. For more information on email notifications and access to vulnerability tickets, please read this DAC page.

What do we expect partners to do?

Partners do not have access to the VDP program on Bugcrowd. AMS Jira project is the only source of communication for vulnerabilities identified through VDP, so we ask that partners actively acknowledge the receipt of the vulnerability by following up on the ticket.

Once a partner gets notified of an AMS issue, we expect that the partner reviews the ticket, understands the vulnerability reported, takes note of the Remediation Due Date, and fixes the issue within the remediation SLA defined as per Security Bug Fix Policy for marketplace apps.

To identify the target app being reported, look for Bugcrowd Target field in the AMS ticket.

Once the issue has been fixed, partners must ensure that ticket status is appropriately transitioned to Patched or Waiting for Release accordingly. If a partner feels that an AMS ticket needs Atlassian Ecosystem Security team review, then the status of that ticket must be transitioned to Atlassian Input Requested state. For more details on AMS ticket statuses and workflows, please read this DAC page.

If for any reason a vulnerability cannot be fixed within SLA, partners can request an SLA extension. Please follow the instructions here to request an SLA extention.

In order to ensure security vulnerability tickets get correctly reported through AMS Jira project, please ensure you do the following:

Ensure you have the correct contacts assigned to the “Security Role” in your Marketplace vendor account. For more details, see here.
Ensure these contacts are signed up so they can be assigned to tickets in ecosystem.atlassian.net. Login to ecosystem.atlassian.net using your Atlassian account and you should be automatically added to ecosystem.atlassian.net site.

Vulnerability review practices

We have created a play to help partners build a culture of security and meet your security SLAs through deliberate practice. We highly recommend partners review the play and setup internal vulnerability review practices at their company.

FAQ

Can VDP satisfy Marketplace Cloud Security Participant badge requirements?

No, VDP is different from Marketplace Bug Bounty Program and does not satisfy any requirement for a Cloud Security Participant badge. We expect that VDP encourages partners to signup for their own bug bounty program in our Marketplace Bug Bounty Program.

My app is not being maintained and I cannot fix the vulnerability, can I ignore the AMS ticket?

No, we do not provide any exceptions to unmaintained apps or unsupported apps. To ensure that customers systems cannot be compromised by exploiting vulnerabilities in Marketplace apps, Marketplace partners are expected to fix vulnerabilities within the SLAs defined by the security bug fix policy.

If you would like to de-list/retire your marketplace app, please create a request here. After you have created the request, please comment with a link to the delist request.

I need additional information or help in understanding the vulnerability, can I get help?

Yes, Atlassian Ecosystem Security team can assist you here, you can just transition the ticket to Atlassian Input Requested and comment on the ticket.

My app already participates in Marketplace Bug Bounty Program, should I still expect reports from VDP?

We try to prevent duplicates to VDP by routing the researchers to app’s existing bug bounty programs, but in exceptional cases, there may still be some submissions that get reported. In these cases, you can notify Atlassian Ecosystem Security team of possible duplicates on the AMS ticket or through our service desk.