Submit your vulnerability report on any Marketplace App to security@atlassian.com. More ways to report a security vulnerability in Atlassian products can be found here. Additionally, you can explore all public bug bounty programs from Atlassian and Atlassian Marketplace here.
Vulnerabilities on Atlassian developed apps can be reported directly to our public bug bounty program at https://bugcrowd.com/atlassianapps