Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How do I see if a Marketplace App has any outstanding security issues

Steven Parr
Steven Parr October 21, 2022

Hi All,

We want to install a MarketPlace app to integrate Jira and GitHub. I can see that the app built by Atlassian is part of the Bug Bounty and has Security certification. The app is: https://marketplace.atlassian.com/apps/1219592/github-for-jira?tab=overview&hosting=cloud

While I see that the app is developed by Atlassian, that's a big tick, and I can see it has security certification, another big tick, I don't see from the bug bounty how I know if there are any outstanding security concerns with the App. 

Am I overthinking this and in fact if the MarketPlace itself is secure then the app is by default secure as it has the above two big ticks (this doesn't feel like it should be the case) or is there some way I can specifically check if there are concerns with the app as it stands. I have linked through to the bug bounty and checked the Crowdstream. There are a fair few pages to click through to see if Git Hub appears in the title but wondering if this will tell me anything. Also If Git Hub does not appear is it safe to say there are no current concerns identified (at least through the bug Bounty. 

Apols for long question,

Steve

Answer
Watch
Like Be the first to like this
514 views

1 answer

0 votes
marc -Collabello--Phase Locked-
marc -Collabello--Phase Locked-
Community Champion
October 21, 2022

Hi @Steven Parr ,

Security vulnerabilities in apps are not communicated publicly when they come from the bug bounty program.  However the vendor of the app has a deadline to resolve the vulnerability.

I think it wouldn't be good to communicate the vulnerability before fixing it (within a reasonable time frame).

View More Comments
Steven Parr
Steven Parr October 21, 2022

Hi @marc -Collabello--Phase Locked-,

That makes a lot of sense, I guess it would be looking for anything historical to see trends or major security risks with a particular app. 

However, wonder if you could sense check my thinking. If apps are a part of the Bug Bounty and Security Certified, then its reasonable to assume that developers are identifying security bugs via the bug bounty user base and are actively fixing items as they have to do this by being part of the bounty. 

Therefore, these apps we should be relatively comfortable with even if we can't see exact details of current, issues. This feels like a pragmatic approach?

Steve 

Like
marc -Collabello--Phase Locked-
marc -Collabello--Phase Locked-
Community Champion
October 21, 2022

For a pragmatic approach, that should be fine.

In addition to the bug bounty program, Atlassian security researchers also check some security aspects for Cloud Fortified apps.

However I'd recommend to also do your own due diligence with respect to vendors. You might have specific security requirements, which might exclude vendors from specific jurisdictions.  That is your responsibility, and not Atlassians.

Like
Steven Parr
Steven Parr October 21, 2022

@marc -Collabello--Phase Locked- ok understood.

Makes sense, in this case it is an Atlassian built app for Git Hub integration :)

Thanks for the swift response.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
DEPLOYMENT TYPE
CLOUD
PRODUCT PLAN
STANDARD
PERMISSIONS LEVEL
Product Admin
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security