Rate this page:
The Vulnerability Disclosure Program (VDP) for all third party Marketplace Cloud and Data Center apps provides a framework for Atlassian to securely accept and triage vulnerabilities submitted by Atlassian customers and security researchers, and then report those vulnerabilities to partners to remediate. VDP program aims to serve as a passive channel to report security vulnerabilities on any third party app in the Marketplace to Atlassian.
The purpose of VDP program is to provide a central channel for external researchers to report security issues and vulnerabilities identified in the Atlassian Marketplace, provide clear directives with respect to vulnerability intake process and also extend the customers trust in Atlassian Ecosystem. This program will be fully funded, owned, and run by Atlassian. The findings we receive from researchers will be reported to the appropriate partners. This will not change our approach to Marketplace Bug Bounty Program which will continue to run as-is. Partners are still encouraged to sign up for the Marketplace Bug Bounty Program because it will allow you to run your own bounty programs with appropriate rewards and scope to attract security researchers to find bugs and qualifying apps can receive Security Trust signals and Cloud Security Participant Badge in the Atlassian Marketplace.
Below table lists out additional differences between the two programs.
Program Benefits | Marketplace Bug Bounty Program | Marketplace Vulnerability Disclosure Program |
---|---|---|
Cloud Security Participant Badge | Satisfies one of the badge requirements. | Does not satisfy any badge requirements. |
Personalized Program | Partners can personalize their programs to fit in with their environment. | VDP is run and maintained by Atlassian, partners cannot make personalizations. |
Scope | Partner defined scopes. | All public Marketplace Cloud and Data Center apps. |
Rewards Structure | Partner defined rewards, partners can set higher rewards to encourage more researchers. | No rewards (this may change as program matures). |
Reports Tracking | Bugcrowd Platform and AMS Jira project. | AMS Jira project only. Partners do not have access to VDP program. |
VDP program is hosted on Bugcrowd platform and run by the Atlassian Ecosystem security team. The program is launched with all third party Cloud and Data Center apps on marketplace in scope, and with no monetary rewards. As the program matures, we may provide rewards for critical submissions.
When a customer or security researcher discovers a vulnerability on an app and reports it through VDP, the Bugcrowd Application Security Engineering (ASE) team reviews the report for its validity and rejects any report if it is not reproducible or out of scope. The ASE team then passes on triaged reports to Atlassian.
Atlassian reviews the submission based on severity and forwards it to the respective partner using our vulnerability tracking Jira project called Atlassian Marketplace Security (AMS). Our automation creates a ticket in AMS Jira project for each submission and appropriate partner contacts are added to the ticket. Learn more about AMS Jira project here.
Once a partner is assigned to an issue in AMS, an automated Jira email notification is sent to notify partners. For more information on email notifications and access to vulnerability tickets, please read this DAC page.
Partners do not have access to the VDP program on Bugcrowd. AMS Jira project is the only source of communication for vulnerabilities identified through VDP, so we ask that partners actively acknowledge the receipt of the vulnerability by following up on the AMS ticket.
Once a partner gets notified of an AMS issue, we expect that the partner reviews the ticket, understands the vulnerability reported, takes note of the Remediation Due Date
, and fixes the issue within the remediation SLA defined as per Security Bug Fix Policy for marketplace apps.
To identify the target app being reported, look for Bugcrowd Target field in the AMS ticket.
Once the issue has been fixed, partners must ensure that ticket status is appropriately transitioned to Patched
or Waiting for Release
accordingly. If a partner feels that an AMS ticket needs Atlassian Ecosystem Security team review, then the status of that ticket must be transitioned to Atlassian Input Requested
state. For more details on AMS ticket statuses and workflows, please read this DAC page.
If for any reason a vulnerability cannot be fixed within SLA, partners can request an SLA extension. Please follow the instructions here to request an SLA extention.
In order to ensure security vulnerability tickets get correctly reported through AMS Jira project, please ensure you do the following:
Ensure you have the correct contacts assigned to the “Security Role” in your Marketplace vendor account. For more details, see here.
Ensure these contacts are signed up so they can be assigned to tickets in ecosystem.atlassian.net. Login to ecosystem.atlassian.net using your Atlassian account and you should be automatically added to ecosystem.atlassian.net site.
No, VDP is different from Marketplace Bug Bounty Program and does not satisfy any requirement for a Cloud Security Participant badge. We expect that VDP encourages partners to signup for their own bug bounty program in our Marketplace Bug Bounty Program.
No, we do not provide any exceptions to unmaintained apps or unsupported apps. To ensure that customers systems cannot be compromised by exploiting vulnerabilities in Marketplace apps, Marketplace partners are expected to fix vulnerabilities within the SLAs defined by the security bug fix policy.
If you would like to de-list/retire your marketplace app, please create a request here. After you have created the request, please comment with a link to the delist request.
Yes, Atlassian Ecosystem Security team can assist you here, you can just transition the ticket to Atlassian Input Requested
and comment on the ticket.
We try to prevent duplicates to VDP by routing the researchers to app’s existing bug bounty programs, but in exceptional cases, there may still be some submissions that get reported. In these cases, you can notify Atlassian Ecosystem Security team of possible duplicates on the AMS ticket or through our service desk.
Rate this page: