Vulnerability management for Marketplace apps

At Atlassian, we have an extensive Vulnerability Management program which aims to reduce the frequency and severity of vulnerabilities in Atlassian products. We are taking a similar approach for managing vulnerabilities in Marketplace apps. Because Marketplace apps represent a large attack surface with potentially significant customer impact, we believe that a methodical process for identifying, tracking and resolving vulnerabilities in Marketplace apps is necessary.

In this section, we provide an overview of how we go about identifying and managing vulnerabilities in Marketplace apps and what is expected of app developers as part of this program.

Vulnerability identification

We combine several approaches to identifying vulnerabilities in Marketplace apps. These include:

• Marketplace Bug Bounty Program - We make use of Bugcrowd to enable Marketplace partners to run their own independent bug bounty programs. Bugcrowd provides participating partners with access to an expert, trusted community consisting of tens of thousands of cyber security researchers who are constantly testing their apps and reporting back any vulnerabilities they find.

• Vulnerability Disclosure Program - The VDP provides a passive channel for customers and security researchers to report security vulnerabilities on any app in the Marketplace to Atlassian. Atlassian security team will triage and accept vulnerabilities and forward valid issues to partners for remediation.

• Ecoscanner - The Ecoscanner platform is used for performing security checks against all Marketplace cloud apps on an ongoing basis.

• Customer, user, and partner reports - Users of Marketplace apps can report any bugs they encounter at any time via Atlassian Support or Atlassian Ecosystem Help Center. We will then work with them to collect all necessary details so the vulnerability can be passed to the app developer and fixed. Partners are also asked to report incidents and vulnerabilities in their apps to Atlassian such that proper investigations can be conducted.

• Atlassian Security team - We complete targeted reviews, both manual and tools-assisted, and notify app developers of any security vulnerabilities requiring remediation.

We are continuously evaluating new ways to improve the maturity of our discovery methods. Existing programs may evolve overtime and new programs can be added.

Vulnerability tracking

To maximize the efficiency of vulnerability management across Marketplace apps, we have created a single integrated solution for tracking vulnerabilities regardless of source. We are leveraging https://ecosystem.atlassian.net, which is widely used for communications between partners and Atlassian, to create a single source of truth for tracking and resolving security vulnerabilities in Marketplace apps.

When a vulnerability in a Marketplace app is discovered through any of the sources listed above, it will be raised in a single Jira project called Atlassian Marketplace Security. This means that we have a single point from which to track vulnerabilities identified in Marketplace apps to ensure that nothing is overlooked. This will also help Atlassian spot common security gaps across all Marketplace apps to then prioritize more comprehensive solutions at the platform level.

To get access to the Atlassian Marketplace Security Jira , Refer to Step 3 in this playbook

To learn more about how SLA management and what is expected from partners, please review the SLA management document. For more information about how the Atlassian Marketplace Security project is structured, see Additional information: Vulnerability tracking.