Vulnerability Disclosure Program (VDP)

Please note this program has not launched yet. We are planning to launch sometime between April to June 2021 and will be updating this page with additional information

Atlassian will be launching a vulnerability disclosure program for all Marketplace cloud apps. This will provide a framework for Atlassian to securely accept and triage vulnerabilities submitted by Atlassian customers and security researchers, and then report those vulnerabilities to partners to remediate. Similar to how Atlassian receives security vulnerabilities for our own cloud and DC products, this creates a passive channel for customers and security researchers to report security vulnerabilities on any app in the Marketplace to Atlassian.

How is this different from the Marketplace Bug Bounty Program?

This program will be fully funded, owned, and run by Atlassian. We will define the scope, targets, and rewards for vulnerability disclosure program. We plan to start the program with a points-only model where we do not provide monetary rewards for any findings and award recognition using points through Bugcrowd to folks who report legitimate security vulnerabilities. The findings we receive from researchers will be triaged by Atlassian and reported to the appropriate partners. This will not change our approach to Marketplace Bug Bounty Program which will continue to run as-is. Partners are still encouraged to sign up for the Marketplace Bug Bounty Program because it will allow you to run your own bounty programs with appropriate rewards and scope to attract security researchers to find bugs and qualifying apps can receive Security Trust signals and Cloud Security Participant Badge in the Atlassian Marketplace.

We aim to launch this program in Apr-June 2021 timeframe. More dates and timelines will be shared in April 2021.

What do we expect partners to do?

Atlassian will run VDP and report identified security vulnerabilities to the appropriate partners. In order to ensure security vulnerability tickets get correctly reported through ecosystem.atlassian.net, please ensure you do the following:

Ensure you have the correct contacts assigned to the “Security Role” in your Marketplace vendor account. For more details, see here.
Ensure these contacts are signed up so they can be assigned to tickets in ecosystem.atlassian.net. Login to ecosystem.atlassian.net using your Atlassian account and you should be automatically added to ecosystem.atlassian.net site.